Add WireGuard support for tunnel traffic encryption

This PR implements antrea-io#2243. Change tunnel traffic encryption option
to enum type. The options contains none (default), ipsec and wireguard.

Signed-off-by: Xu Liu <[email protected]>

build/images/scripts/install_cni

@@ -33,5 +33,9 @@ install -m 755 /opt/cni/bin/whereabouts /host/opt/cni/bin/whereabouts
 # Load the OVS kernel module
 modprobe openvswitch || (echo "Failed to load the OVS kernel module from the container, try running 'modprobe openvswitch' on your Nodes"; exit 1)
 
+# Load the WireGuard kernel module. This is only required when WireGuard encryption is enabled.
+# We could parse the antrea config file in the init-container to dynamically load this kernel module in the future.
+modprobe wireguard || (echo "Failed to load the WireGuard kernel module, WireGuard encryption will not be available")
+
 # Change the default permissions of the run directory.
 chmod 0750 /var/run/antrea

build/images/wireguard-go/Dockerfile

@@ -0,0 +1,19 @@
+ARG GO_VERSION
+ARG WIREGUARD_GO_VERSION
+
+FROM golang:${GO_VERSION} as builder
+
+RUN git clone https://git.zx2c4.com/wireguard-go && \
+    cd wireguard-go && \
+    git checkout ${WIREGUARD_GO_VERSION} && \
+    make && \ 
+    make install
+
+RUN git clone https://git.zx2c4.com/wireguard-tools && \
+    cd wireguard-tools && \
+    cd src && \
+    make && \
+    make install
+
+FROM ubuntu:20.04
+COPY --from=builder /usr/bin/wireguard-go /usr/bin/wg /usr/bin/

build/images/wireguard-go/README.md

@@ -0,0 +1,20 @@
+# images/wireguard-go
+
+This Docker image is a very lightweight image based on Ubuntu 20.04 which
+includes WireGuard golang implementation and wireguard-tools. It can be used
+for Kind clusters for tests when injected as a sidecar to antrea-agent.
+The version is available at <https://github.com/WireGuard/wireguard-go/releases>.
+
+If you need to build a new version of the image and push it to Dockerhub, you
+can run the following:
+
+```bash
+cd build/images/wireguard-go
+GO_VERSION=$(head -n 1 ../deps/go-version)
+WIREGUARD_GO_VERSION=0.0.20210424
+docker build -t antrea/wireguard-go:$WIREGUARD_GO_VERSION --build-arg GO_VERSION=$GO_VERSION --build-arg WIREGUARD_GO_VERSION=$WIREGUARD_GO_VERSION .
+docker push antrea/wireguard-go:$WIREGUARD_GO_VERSION
+```
+
+The `docker push` command will fail if you do not have permission to push to the
+`antrea` Dockerhub repository.

build/yamls/antrea-aks.yml

@@ -3832,8 +3832,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    #enableIPSecTunnel: false
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
+    #trafficEncryptionMode: none
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51820
 
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
@@ -3983,7 +3993,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-66dt98cgtb
+  name: antrea-config-b57hc7g4b2
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4054,7 +4064,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-66dt98cgtb
+          value: antrea-config-b57hc7g4b2
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4105,7 +4115,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-66dt98cgtb
+          name: antrea-config-b57hc7g4b2
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4386,7 +4396,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-66dt98cgtb
+          name: antrea-config-b57hc7g4b2
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -3832,8 +3832,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    #enableIPSecTunnel: false
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
+    #trafficEncryptionMode: none
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51820
 
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
@@ -3983,7 +3993,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-66dt98cgtb
+  name: antrea-config-b57hc7g4b2
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4054,7 +4064,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-66dt98cgtb
+          value: antrea-config-b57hc7g4b2
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4105,7 +4115,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-66dt98cgtb
+          name: antrea-config-b57hc7g4b2
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4388,7 +4398,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-66dt98cgtb
+          name: antrea-config-b57hc7g4b2
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -3832,8 +3832,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    #enableIPSecTunnel: false
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
+    #trafficEncryptionMode: none
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51820
 
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
@@ -3983,7 +3993,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-d2f597tg62
+  name: antrea-config-7h6b98ct29
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4054,7 +4064,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-d2f597tg62
+          value: antrea-config-7h6b98ct29
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4105,7 +4115,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-d2f597tg62
+          name: antrea-config-7h6b98ct29
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4389,7 +4399,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-d2f597tg62
+          name: antrea-config-7h6b98ct29
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -3832,8 +3832,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    enableIPSecTunnel: true
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
+    trafficEncryptionMode: ipsec
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51820
 
     # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
     # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
@@ -3988,7 +3998,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-bgd79km9c8
+  name: antrea-config-tcb22c52b9
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4068,7 +4078,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-bgd79km9c8
+          value: antrea-config-tcb22c52b9
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4119,7 +4129,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-bgd79km9c8
+          name: antrea-config-tcb22c52b9
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4435,7 +4445,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-bgd79km9c8
+          name: antrea-config-tcb22c52b9
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -3832,8 +3832,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    #enableIPSecTunnel: false
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
+    #trafficEncryptionMode: none
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51820
 
     # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
     # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
@@ -3988,7 +3998,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-dd8ffc8tk9
+  name: antrea-config-b6g9tbf4h5
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4059,7 +4069,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-dd8ffc8tk9
+          value: antrea-config-b6g9tbf4h5
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4110,7 +4120,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-dd8ffc8tk9
+          name: antrea-config-b6g9tbf4h5
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4391,7 +4401,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-dd8ffc8tk9
+          name: antrea-config-b6g9tbf4h5
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -77,8 +77,18 @@ featureGates:
 # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
 #defaultMTU: 0
 
-# Whether or not to enable IPsec encryption of tunnel traffic.
-#enableIPSecTunnel: false
+# Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+# It has the following options:
+# - none (default):  Inter-node Pod traffic will not be encrypted.
+# - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+#                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+#                    the PSK value must be passed to Antrea Agent through an environment
+#                    variable: ANTREA_IPSEC_PSK.
+# - wireGuard:       Enable WireGuard for tunnel traffic encryption.
+#trafficEncryptionMode: none
+
+# The port for WireGuard to receive traffic.
+#wireGuardPort: 51820
 
 # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
 # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When

build/yamls/patches/kind/wireguardGo.yml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: antrea-agent
+spec:
+  template:
+    spec:
+      containers:
+      - name: wireguard
+        command: 
+        - wireguard-go
+        args: 
+        - -f
+        - antrea-wg0
+        image: projects.registry.vmware.com/antrea/wireguard-go:0.0.20210424
+        imagePullPolicy: IfNotPresent
+        resources:
+          requests:
+            cpu: 100m
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        volumeMounts:
+        - mountPath: /var/run/wireguard
+          name: host-var-run-antrea
+          subPath: wireguard
+        - name: dev-tun
+          mountPath: /dev/net/tun
+      - name: antrea-agent
+        volumeMounts:
+        - mountPath: /var/run/wireguard
+          name: host-var-run-antrea
+          subPath: wireguard
+      volumes:
+      - name: dev-tun
+        hostPath:
+          path: /dev/net/tun
+          type: CharDevice