Add WireGuard support for tunnel traffic encryption #2297
Conversation
xliuxu
changed the title
xliuxu
changed the title
xliuxu
force-pushed
the
wireguard_client
branch
4 times, most recently
from
b823ec3
to
bd9fa04
Compare
Codecov Report
@@ Coverage Diff @@
## main #2297 +/- ##
==========================================
+ Coverage 60.34% 65.66% +5.31%
==========================================
Files 283 285 +2
Lines 22866 26335 +3469
==========================================
+ Hits 13798 17292 +3494
+ Misses 7585 7427 -158
- Partials 1483 1616 +133
Flags with carried forward coverage won't be shown. Click here to find out more.
|
xliuxu
force-pushed
the
wireguard_client
branch
7 times, most recently
from
2a6e9cf
to
2564d69
Compare
|
/test-e2e |
|
/test-e2e |
|
/test-e2e |
xliuxu
changed the title
|
/test-all |
xliuxu
force-pushed
the
wireguard_client
branch
2 times, most recently
from
5166d25
to
8ef795f
Compare
|
/test-conformance |
|
/test-e2e |
build/yamls/antrea-aks.yml
Outdated
| #trafficEncryptionMode: none | ||
|
|
||
| # The port for WireGuard to receive traffic. | ||
| #wireGuardPort: 51820 |
There was a problem hiding this comment.
have we decided that it is unlikely we will be adding more wireguard config parameters in the future? I'm referring to an earlier suggestion of grouping wireguard parameters in their own dictionary.
There was a problem hiding this comment.
I just saw your reply: #2297 (comment)
refactoring in the future is not great as it breaks backward compatibility. I'll leave it up to you to decide based on how confident you are that we will not need additional configuration parameters in the future.
There was a problem hiding this comment.
I changed it to group WireGuard related settings together. PTAL.
| @@ -77,8 +77,18 @@ featureGates: | |||
| # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). | |||
| #defaultMTU: 0 | |||
|
|
|||
| # Whether or not to enable IPsec encryption of tunnel traffic. | |||
| #enableIPSecTunnel: false | |||
| # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode. | |||
There was a problem hiding this comment.
Trying to understand "Currently encryption only works with antrea encap mode."
I see a check in the code for IPsec but not for Wireguard. I was also under the assumption that with @tnqn's design, the encap mode didn't really matter since we would always end up using a Wireguard tunnel. It seems to me that we are running the WireGuard e2e tests on Kind in all traffic modes, including noEncap.
There was a problem hiding this comment.
Good catch. In this implementation, WG is like a new encap mode. But it wont work with networkPolicyOnly right? I need to think through the relations between encap mode and WG..
(Originally I suggested to support only encap mode the same way as IPsec for a shared implementation, but as the current code does not looks complex either, I am not against to it).
There was a problem hiding this comment.
Probably we should still require trafficEncryptionMode = encap, and add a comment on tunnelType saying tunnelType will not take effect when trafficEncryptionMode = wireGuard.
Maybe also move trafficEncryptionMode to be after tunnelType.
There was a problem hiding this comment.
Thanks for pointing it out. WG is like a new encap mode. I have updated the comments.
There was a problem hiding this comment.
Originally, I thought WG should be viewed as encap, as it has the same behavior with other tunnel types from user perspective, and it is definitely not noEncap or hybrid (which require underlay network to forward/route Pod traffic). So, in my mind, we should enforce trafficEncapMode = encap, and document tunnelType will not take effect. I talked to @xliuxu about this offline.
However, after more thinking, I got the question on networkPolicyOnly mode. Originally I thought WG cannot work with networkPolicyOnly mode, but now I start to think it depends on how we define networkPolicyOnly mode: if we expect another CNI to handle connectivity/routing, then when WG is enabled, what that CNI does might not take effect; but if we assume another CNI could just do IPAM and users do not care how forwarding/routing is done, then WG might still work with the CNI.
But at least for this version, I still suggest to enforce trafficEncapMode = encap, and we can spend more time to think through the use case of another IPAM + WG, and validate it indeed works (let me know if we already tested WG + networkPolicyOnly on AKS and EKS).
@tnqn @antoninbas : thoughts.
There was a problem hiding this comment.
maybe I'm over simplifying but it feels like Wireguard is really just an encrypted overlay. In a way, wireguard could really be merged with tunnelType and tunnelType could have the following values: vxlan, geneve, gre, vxlanIPsec, geneveIPsec, greIPsec, wireguard. It feels to me that for for networkPolicyOnly mode (IPAM + WG), it's not really specific to Wireguard at all. You could do the same thing with a Geneve overlay. At the end of the day, packets are encapsulated and I don't think that what you expect of networkPolicyOnly mode. Am I missing something?
For this PR / release, I agree with you: we should enforce trafficEncapMode == encap.
There was a problem hiding this comment.
You can also say that. But major code changes are needed to support another IPAM with Geneve (while it is much easier with WG, as WG handles traffic routing among Nodes).
Thought over. Probably we should keep networkPolicyOnly as is (it means another CNI should take care of traffic routing across Nodes and it could support traffic encryption too). Later, if there are requirements, we can support other IPAM plugin separately (with Antrea handles routing).
There was a problem hiding this comment.
You can also say that. But major code changes are needed to support another IPAM with Geneve (while it is much easier with WG, as WG handles traffic routing among Nodes).
It's pretty similar no? With Wireguard, you still have to install Pod routes through the wireguard device on the host and configure the wireguard peers, while with Geneve it would be OVS flows. So the implementation is a bit different, but the amount of information you need is the same (list of Pods IPs for each Node)?
pkg/agent/openflow/client.go
Outdated
| // tunnelPeerIP is the Node Internal Address. In a dual-stack setup, one Node has 2 Node Internal | ||
| // Addresses (IPv4 and IPv6) . | ||
| if c.networkConfig.TrafficEncryptionMode != config.TrafficEncryptionModeWireGuard && | ||
| ((!isIPv6 && c.networkConfig.TrafficEncapMode.NeedsEncapToPeer(tunnelPeerIPs.IPv4, c.nodeConfig.NodeTransportIPv4Addr)) || |
There was a problem hiding this comment.
Probably we can consider to change NeedsEncapToPeer to a func of NetworkConfig, and cover TrafficEncryptionModeWireGuard. No strong opinion.
There was a problem hiding this comment.
I second that. I forgot to leave a comment in my review but I was going to suggest moving the checks to a dedicated function or updating NeedsEncapToPeer.
There was a problem hiding this comment.
If we decide WG requires trafficEncapMode = encap, probably we still keep the current definition (or we rename NeedsEncapToPeer to sth. like NeedsOVSTunnelToPeer and move it to NetworkConfig and cover TrafficEncryptionModeWireGuard).
There was a problem hiding this comment.
I think WG can work with all trafficEncapModes. I moved the function NeedsEncapToPeer to NetworkConfig to cover TrafficEncryptionMode settings.
| @@ -77,8 +77,18 @@ featureGates: | |||
| # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). | |||
| #defaultMTU: 0 | |||
|
|
|||
| # Whether or not to enable IPsec encryption of tunnel traffic. | |||
| #enableIPSecTunnel: false | |||
| # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode. | |||
There was a problem hiding this comment.
Good catch. In this implementation, WG is like a new encap mode. But it wont work with networkPolicyOnly right? I need to think through the relations between encap mode and WG..
(Originally I suggested to support only encap mode the same way as IPsec for a shared implementation, but as the current code does not looks complex either, I am not against to it).
xliuxu
force-pushed
the
wireguard_client
branch
3 times, most recently
from
92f942e
to
54859f4
Compare
|
Thanks @antoninbas and @jianjuns for the review. I have addressed all comments. PTAL. |
|
/test-all |
cmd/antrea-agent/options.go
Outdated
| @@ -134,8 +138,8 @@ func (o *Options) validate(args []string) error { | |||
| if !features.DefaultFeatureGate.Enabled(features.AntreaProxy) { | |||
| return fmt.Errorf("TrafficEncapMode %s requires AntreaProxy to be enabled", o.config.TrafficEncapMode) | |||
| } | |||
| if o.config.EnableIPSecTunnel { | |||
| return fmt.Errorf("IPsec tunnel may only be enabled in %s mode", config.TrafficEncapModeEncap) | |||
| if encryptionMode == config.TrafficEncryptionModeIPSec { | |||
There was a problem hiding this comment.
From the discussion, I think this should check encryptionMode != TrafficEncryptionModeNone now?
pkg/agent/config/node_config.go
Outdated
| // NeedsDirectRoutingToPeer returns true if Pod traffic to peer Node needs a direct route installed to the routing table. | ||
| func (nc *NetworkConfig) NeedsDirectRoutingToPeer(peerIP net.IP, localIP *net.IPNet) bool { | ||
| if nc.TrafficEncryptionMode == TrafficEncryptionModeWireGuard { | ||
| return true |
There was a problem hiding this comment.
This change seems not required and might be incorrect? We install direct route when NeedsDirectRoutingToPeer is true. I see you check TrafficEncryptionMode == TrafficEncryptionModeWireGuard first before checking this, then this change is not needed anway.
There was a problem hiding this comment.
I deleted the check for WireGuard in this function.
xliuxu
force-pushed
the
wireguard_client
branch
2 times, most recently
from
fbb0bf5
to
859f43b
Compare
build/yamls/antrea-aks.yml
Outdated
| # - geneve (default) | ||
| # - vxlan | ||
| # - gre | ||
| # - stt | ||
| #tunnelType: geneve | ||
|
|
||
| # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode. |
There was a problem hiding this comment.
Nit: antrea encap mode -> encap mode.
| @@ -77,8 +77,18 @@ featureGates: | |||
| # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). | |||
| #defaultMTU: 0 | |||
|
|
|||
| # Whether or not to enable IPsec encryption of tunnel traffic. | |||
| #enableIPSecTunnel: false | |||
| # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode. | |||
There was a problem hiding this comment.
You can also say that. But major code changes are needed to support another IPAM with Geneve (while it is much easier with WG, as WG handles traffic routing among Nodes).
Thought over. Probably we should keep networkPolicyOnly as is (it means another CNI should take care of traffic routing across Nodes and it could support traffic encryption too). Later, if there are requirements, we can support other IPAM plugin separately (with Antrea handles routing).
pkg/agent/config/node_config.go
Outdated
| @@ -126,3 +142,17 @@ func IsIPv6Enabled(nodeConfig *NodeConfig, trafficEncapMode TrafficEncapModeType | |||
| return nodeConfig.PodIPv6CIDR != nil || | |||
| (trafficEncapMode.IsNetworkPolicyOnly() && nodeConfig.NodeIPv6Addr != nil) | |||
| } | |||
|
|
|||
| // NeedsEncapToPeer returns true if Pod traffic to peer Node needs to be encapsulated. | |||
There was a problem hiding this comment.
"needs to be encapsulated by OVS tunneling"
Actually, I prefer to rename the func to NeedsTunnelToPeer, and here we can say "needs to be tunneled".
xliuxu
force-pushed
the
wireguard_client
branch
from
859f43b
to
871cc44
Compare
This PR implements antrea-io#2243. Change tunnel traffic encryption option to enum type. The options contains none (default), ipsec and wireguard. Signed-off-by: Xu Liu <[email protected]>
xliuxu
force-pushed
the
wireguard_client
branch
from
871cc44
to
b054878
Compare
|
/test-all |
|
/test-conformance |
|
/test-ipv6-e2e |
Add WireGuard client for tunnel traffic encryption. This PR implements #2243.
Signed-off-by: Xu Liu [email protected]