Skip to content

Commit

Permalink
Add WireGuard support for tunnel traffic encryption
Browse files Browse the repository at this point in the history
This PR implements #2243. Change tunnel traffic encryption option
to enum type. The options contains none (default), ipsec and wireguard.

Signed-off-by: Xu Liu <[email protected]>
  • Loading branch information
xliuxu committed Aug 27, 2021
1 parent f425a87 commit 871cc44
Show file tree
Hide file tree
Showing 53 changed files with 1,804 additions and 360 deletions.
4 changes: 4 additions & 0 deletions build/images/scripts/install_cni
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,9 @@ install -m 755 /opt/cni/bin/whereabouts /host/opt/cni/bin/whereabouts
# Load the OVS kernel module
modprobe openvswitch || (echo "Failed to load the OVS kernel module from the container, try running 'modprobe openvswitch' on your Nodes"; exit 1)

# Load the WireGuard kernel module. This is only required when WireGuard encryption is enabled.
# We could parse the antrea config file in the init-container to dynamically load this kernel module in the future.
modprobe wireguard || (echo "Failed to load the WireGuard kernel module, WireGuard encryption will not be available")

# Change the default permissions of the run directory.
chmod 0750 /var/run/antrea
19 changes: 19 additions & 0 deletions build/images/wireguard-go/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
ARG GO_VERSION
ARG WIREGUARD_GO_VERSION

FROM golang:${GO_VERSION} as builder

RUN git clone https://git.zx2c4.com/wireguard-go && \
cd wireguard-go && \
git checkout ${WIREGUARD_GO_VERSION} && \
make && \
make install

RUN git clone https://git.zx2c4.com/wireguard-tools && \
cd wireguard-tools && \
cd src && \
make && \
make install

FROM ubuntu:20.04
COPY --from=builder /usr/bin/wireguard-go /usr/bin/wg /usr/bin/
20 changes: 20 additions & 0 deletions build/images/wireguard-go/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# images/wireguard-go

This Docker image is a very lightweight image based on Ubuntu 20.04 which
includes WireGuard golang implementation and wireguard-tools. It can be used
for Kind clusters for tests when injected as a sidecar to antrea-agent.
The version is available at <https://github.com/WireGuard/wireguard-go/releases>.

If you need to build a new version of the image and push it to Dockerhub, you
can run the following:

```bash
cd build/images/wireguard-go
GO_VERSION=$(head -n 1 ../deps/go-version)
WIREGUARD_GO_VERSION=0.0.20210424
docker build -t antrea/wireguard-go:$WIREGUARD_GO_VERSION --build-arg GO_VERSION=$GO_VERSION --build-arg WIREGUARD_GO_VERSION=$WIREGUARD_GO_VERSION .
docker push antrea/wireguard-go:$WIREGUARD_GO_VERSION
```

The `docker push` command will fail if you do not have permission to push to the
`antrea` Dockerhub repository.
27 changes: 20 additions & 7 deletions build/yamls/antrea-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3820,20 +3820,33 @@ data:
# performs SNAT and this option will be ignored; for other modes it must be set to false.
#noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. Supported values:
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
# - geneve (default)
# - vxlan
# - gre
# - stt
#tunnelType: geneve
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
# - none (default): Inter-node Pod traffic will not be encrypted.
# - ipsec: Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
# Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
#trafficEncryptionMode: none
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
#defaultMTU: 0
# Whether or not to enable IPsec encryption of tunnel traffic.
#enableIPSecTunnel: false
# wireGuard specifies WireGuard related configurations.
wireGuard:
# The port for WireGuard to receive traffic.
# port: 51820
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
Expand Down Expand Up @@ -3983,7 +3996,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-66dt98cgtb
name: antrea-config-99c875tk88
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4054,7 +4067,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-66dt98cgtb
value: antrea-config-99c875tk88
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4105,7 +4118,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-66dt98cgtb
name: antrea-config-99c875tk88
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4386,7 +4399,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-66dt98cgtb
name: antrea-config-99c875tk88
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
27 changes: 20 additions & 7 deletions build/yamls/antrea-eks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3820,20 +3820,33 @@ data:
# performs SNAT and this option will be ignored; for other modes it must be set to false.
#noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. Supported values:
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
# - geneve (default)
# - vxlan
# - gre
# - stt
#tunnelType: geneve
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
# - none (default): Inter-node Pod traffic will not be encrypted.
# - ipsec: Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
# Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
#trafficEncryptionMode: none
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
#defaultMTU: 0
# Whether or not to enable IPsec encryption of tunnel traffic.
#enableIPSecTunnel: false
# wireGuard specifies WireGuard related configurations.
wireGuard:
# The port for WireGuard to receive traffic.
# port: 51820
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
Expand Down Expand Up @@ -3983,7 +3996,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-66dt98cgtb
name: antrea-config-99c875tk88
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4054,7 +4067,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-66dt98cgtb
value: antrea-config-99c875tk88
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4105,7 +4118,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-66dt98cgtb
name: antrea-config-99c875tk88
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4388,7 +4401,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-66dt98cgtb
name: antrea-config-99c875tk88
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
27 changes: 20 additions & 7 deletions build/yamls/antrea-gke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3820,20 +3820,33 @@ data:
# performs SNAT and this option will be ignored; for other modes it must be set to false.
#noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. Supported values:
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
# - geneve (default)
# - vxlan
# - gre
# - stt
#tunnelType: geneve
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
# - none (default): Inter-node Pod traffic will not be encrypted.
# - ipsec: Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
# Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
#trafficEncryptionMode: none
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
#defaultMTU: 0
# Whether or not to enable IPsec encryption of tunnel traffic.
#enableIPSecTunnel: false
# wireGuard specifies WireGuard related configurations.
wireGuard:
# The port for WireGuard to receive traffic.
# port: 51820
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
Expand Down Expand Up @@ -3983,7 +3996,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-d2f597tg62
name: antrea-config-dbmkcb65c8
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4054,7 +4067,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-d2f597tg62
value: antrea-config-dbmkcb65c8
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4105,7 +4118,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-d2f597tg62
name: antrea-config-dbmkcb65c8
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4389,7 +4402,7 @@ spec:
path: /home/kubernetes/bin
name: host-cni-bin
- configMap:
name: antrea-config-d2f597tg62
name: antrea-config-dbmkcb65c8
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
27 changes: 20 additions & 7 deletions build/yamls/antrea-ipsec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3820,20 +3820,33 @@ data:
# performs SNAT and this option will be ignored; for other modes it must be set to false.
#noSNAT: false
# Tunnel protocols used for encapsulating traffic across Nodes. Supported values:
# Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
# this option will not take effect. Supported values:
# - geneve (default)
# - vxlan
# - gre
# - stt
tunnelType: gre
# Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
# It has the following options:
# - none (default): Inter-node Pod traffic will not be encrypted.
# - ipsec: Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
# Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
trafficEncryptionMode: ipsec
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
#defaultMTU: 0
# Whether or not to enable IPsec encryption of tunnel traffic.
enableIPSecTunnel: true
# wireGuard specifies WireGuard related configurations.
wireGuard:
# The port for WireGuard to receive traffic.
# port: 51820
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
Expand Down Expand Up @@ -3988,7 +4001,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-bgd79km9c8
name: antrea-config-tthkbhb7k5
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4068,7 +4081,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-bgd79km9c8
value: antrea-config-tthkbhb7k5
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4119,7 +4132,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-bgd79km9c8
name: antrea-config-tthkbhb7k5
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4435,7 +4448,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-bgd79km9c8
name: antrea-config-tthkbhb7k5
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
Loading

0 comments on commit 871cc44

Please sign in to comment.