Add WireGuard client for tunnel traffic encryption. This PR is a part

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>
xliuxu · Jun 25, 2021 · 2a6e9cf · 2a6e9cf
1 parent 2d19196
commit 2a6e9cf
Show file tree

Hide file tree

Showing 41 changed files with 1,228 additions and 111 deletions.
diff --git a/build/images/scripts/install_cni b/build/images/scripts/install_cni
@@ -33,5 +33,8 @@ install -m 755 /opt/cni/bin/whereabouts /host/opt/cni/bin/whereabouts
 # Load the OVS kernel module
 modprobe openvswitch || (echo "Failed to load the OVS kernel module from the container, try running 'modprobe openvswitch' on your Nodes"; exit 1)
 
+# Load the WireGuard kernel module
+modprobe wireguard || (echo "Failed to load the WireGuard kernel module from the container.")
+
 # Change the default permissions of the run directory.
 chmod 0750 /var/run/antrea
diff --git a/build/images/wireguard-go/Dockerfile b/build/images/wireguard-go/Dockerfile
@@ -0,0 +1,15 @@
+FROM golang:1.16 as builder
+
+RUN git clone https://git.zx2c4.com/wireguard-go && \
+    cd wireguard-go && \
+    make && \ 
+    make install
+
+RUN git clone https://git.zx2c4.com/wireguard-tools && \
+    cd wireguard-tools && \
+    cd src && \
+    make && \
+    make install
+
+FROM ubuntu:20.04
+COPY --from=builder /usr/bin/wireguard-go /usr/bin/wg /usr/bin/
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -3718,6 +3718,13 @@ data:
     # for the GRE tunnel type.
     #enableIPSecTunnel: false
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
     # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
@@ -3861,7 +3868,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-t9hc8tf75d
+  name: antrea-config-5t7m5kt44b
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3932,7 +3939,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-t9hc8tf75d
+          value: antrea-config-5t7m5kt44b
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -3983,7 +3990,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-t9hc8tf75d
+          name: antrea-config-5t7m5kt44b
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4279,7 +4286,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-t9hc8tf75d
+          name: antrea-config-5t7m5kt44b
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -3718,6 +3718,13 @@ data:
     # for the GRE tunnel type.
     #enableIPSecTunnel: false
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
     # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
@@ -3861,7 +3868,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-t9hc8tf75d
+  name: antrea-config-5t7m5kt44b
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3932,7 +3939,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-t9hc8tf75d
+          value: antrea-config-5t7m5kt44b
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -3983,7 +3990,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-t9hc8tf75d
+          name: antrea-config-5t7m5kt44b
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4281,7 +4288,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-t9hc8tf75d
+          name: antrea-config-5t7m5kt44b
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -3718,6 +3718,13 @@ data:
     # for the GRE tunnel type.
     #enableIPSecTunnel: false
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
     # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
@@ -3861,7 +3868,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-9g829tktd6
+  name: antrea-config-d8b7t88629
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3932,7 +3939,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-9g829tktd6
+          value: antrea-config-d8b7t88629
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -3983,7 +3990,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-9g829tktd6
+          name: antrea-config-d8b7t88629
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4282,7 +4289,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-9g829tktd6
+          name: antrea-config-d8b7t88629
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -3718,6 +3718,13 @@ data:
     # for the GRE tunnel type.
     enableIPSecTunnel: true
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
     # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
     # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
@@ -3866,7 +3873,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-h5kbhh859d
+  name: antrea-config-fk8d988bd9
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3946,7 +3953,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-h5kbhh859d
+          value: antrea-config-fk8d988bd9
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -3997,7 +4004,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-h5kbhh859d
+          name: antrea-config-fk8d988bd9
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4328,7 +4335,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-h5kbhh859d
+          name: antrea-config-fk8d988bd9
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -3718,6 +3718,13 @@ data:
     # for the GRE tunnel type.
     #enableIPSecTunnel: false
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
     # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
     # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
@@ -3866,7 +3873,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-cbfh568k9m
+  name: antrea-config-m8b78df98b
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3937,7 +3944,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-cbfh568k9m
+          value: antrea-config-m8b78df98b
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -3988,7 +3995,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-cbfh568k9m
+          name: antrea-config-m8b78df98b
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4284,7 +4291,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-cbfh568k9m
+          name: antrea-config-m8b78df98b
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/base/conf/antrea-agent.conf b/build/yamls/base/conf/antrea-agent.conf
@@ -81,6 +81,13 @@ featureGates:
 # for the GRE tunnel type.
 #enableIPSecTunnel: false
 
+# Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+# for encap mode.
+#enableWireGuardTunnel: false
+
+# The port for WireGuard to receive traffic.
+#wireGuardPort: 51850
+
 # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
 # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
 # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.

diff --git a/build/yamls/patches/kind/wireguardGo.yml b/build/yamls/patches/kind/wireguardGo.yml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: antrea-agent
+spec:
+  template:
+    spec:
+      containers:
+      - name: wireguard
+        command: 
+        - wireguard-go
+        args: 
+        - -f
+        - antrea-wg
+        image: xliuxu/wireguard-go:latest
+        imagePullPolicy: IfNotPresent
+        resources:
+          requests:
+            cpu: 100m
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        volumeMounts:
+        - name: host-var-run-wireguard
+          mountPath: /var/run/wireguard
+        - name: dev-tun
+          mountPath: /dev/net/tun
+      - name: antrea-agent
+        volumeMounts:
+        - name: host-var-run-wireguard
+          mountPath: /var/run/wireguard
+      volumes:
+      - name: host-var-run-wireguard
+        hostPath:
+          path: /var/run/wireguard
+          type: DirectoryOrCreate
+      - name: dev-tun
+        hostPath:
+          path: /dev/net/tun
+          type: CharDevice
diff --git a/ci/kind/kind-setup.sh b/ci/kind/kind-setup.sh
@@ -28,6 +28,7 @@ SUBNETS=""
 ENCAP_MODE=""
 PROXY=true
 PROMETHEUS=false
+WIREGUARDGO=false
 
 THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 
@@ -54,6 +55,7 @@ where:
   --images: specifies images loaded to kind cluster, default is $IMAGES
   --subnets: a subnet creates a separate docker bridge network (named 'antrea-<idx>') with assigned subnet that worker nodes may connect to. Default is empty: all worker
     Node connected to default docker bridge network created by Kind.
+  --wireguard: enable wireguard encryption in userspace.
 "
 
 function print_usage {
@@ -274,6 +276,9 @@ EOF
     if [[ $PROXY == false ]]; then
       cmd+=" --no-proxy"
     fi
+    if [[ $WIREGUARDGO == true ]]; then
+      cmd+=" --wireguard-go"
+    fi
     echo "$cmd --kind $(get_encap_mode) | kubectl apply --context kind-$CLUSTER_NAME -f -"
     eval "$cmd --kind $(get_encap_mode) | kubectl apply --context kind-$CLUSTER_NAME -f -"
 
@@ -348,6 +353,10 @@ while [[ $# -gt 0 ]]
       NUM_WORKERS="$2"
       shift 2
       ;;
+    --wireguard-go)
+      WIREGUARDGO=true
+      shift
+      ;;
     help)
       print_usage
       exit 0

diff --git a/ci/kind/test-e2e-kind.sh b/ci/kind/test-e2e-kind.sh
@@ -103,7 +103,7 @@ else
     manifest_args="$manifest_args --no-np"
 fi
 
-COMMON_IMAGES_LIST=("gcr.io/kubernetes-e2e-test-images/agnhost:2.8" "projects.registry.vmware.com/library/busybox" "projects.registry.vmware.com/antrea/nginx" "projects.registry.vmware.com/antrea/perftool" "projects.registry.vmware.com/antrea/ipfix-collector:v0.5.3")
+COMMON_IMAGES_LIST=("gcr.io/kubernetes-e2e-test-images/agnhost:2.8" "projects.registry.vmware.com/library/busybox" "projects.registry.vmware.com/antrea/nginx" "projects.registry.vmware.com/antrea/perftool" "projects.registry.vmware.com/antrea/ipfix-collector:v0.5.2" "xliuxu/wireguard-go:latest")
 for image in "${COMMON_IMAGES_LIST[@]}"; do
     for i in `seq 3`; do
         docker pull $image && break
@@ -130,9 +130,11 @@ function run_test {
 
   if $coverage; then
       $YML_CMD --kind --encap-mode $current_mode $manifest_args | docker exec -i kind-control-plane dd of=/root/antrea-coverage.yml
+      $YML_CMD --kind --encap-mode $current_mode $manifest_args --wireguard-go | docker exec -i kind-control-plane dd of=/root/antrea-wireguard-coverage.yml
       $FLOWAGGREGATOR_YML_CMD --coverage | docker exec -i kind-control-plane dd of=/root/flow-aggregator-coverage.yml
   else
       $YML_CMD --kind --encap-mode $current_mode $manifest_args | docker exec -i kind-control-plane dd of=/root/antrea.yml
+      $YML_CMD --kind --encap-mode $current_mode $manifest_args --wireguard-go | docker exec -i kind-control-plane dd of=/root/antrea-wireguard.yml
       $FLOWAGGREGATOR_YML_CMD | docker exec -i kind-control-plane dd of=/root/flow-aggregator.yml
   fi
   sleep 1