Add WireGuard client for tunnel traffic encryption.

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode.

Signed-off-by: Xu Liu <[email protected]>

build/images/scripts/install_cni

@@ -33,5 +33,8 @@ install -m 755 /opt/cni/bin/whereabouts /host/opt/cni/bin/whereabouts
 # Load the OVS kernel module
 modprobe openvswitch || (echo "Failed to load the OVS kernel module from the container, try running 'modprobe openvswitch' on your Nodes"; exit 1)
 
+# Load the WireGuard kernel module
+modprobe wireguard || (echo "WireGuard is not supported for this node.")
+
 # Change the default permissions of the run directory.
 chmod 0750 /var/run/antrea

build/yamls/antrea-aks.yml

@@ -3744,6 +3744,13 @@ data:
     # for the GRE tunnel type.
     #enableIPSecTunnel: false
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
     # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
@@ -3887,7 +3894,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-tgm22b6g5t
+  name: antrea-config-c6cb8g4fk4
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3958,7 +3965,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-tgm22b6g5t
+          value: antrea-config-c6cb8g4fk4
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4009,7 +4016,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-tgm22b6g5t
+          name: antrea-config-c6cb8g4fk4
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4305,7 +4312,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-tgm22b6g5t
+          name: antrea-config-c6cb8g4fk4
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -3744,6 +3744,13 @@ data:
     # for the GRE tunnel type.
     #enableIPSecTunnel: false
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
     # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
@@ -3887,7 +3894,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-tgm22b6g5t
+  name: antrea-config-c6cb8g4fk4
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3958,7 +3965,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-tgm22b6g5t
+          value: antrea-config-c6cb8g4fk4
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4009,7 +4016,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-tgm22b6g5t
+          name: antrea-config-c6cb8g4fk4
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4307,7 +4314,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-tgm22b6g5t
+          name: antrea-config-c6cb8g4fk4
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -3744,6 +3744,13 @@ data:
     # for the GRE tunnel type.
     #enableIPSecTunnel: false
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
     # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
@@ -3887,7 +3894,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-246k7dkb5c
+  name: antrea-config-4b6f82h98b
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3958,7 +3965,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-246k7dkb5c
+          value: antrea-config-4b6f82h98b
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4009,7 +4016,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-246k7dkb5c
+          name: antrea-config-4b6f82h98b
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4308,7 +4315,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-246k7dkb5c
+          name: antrea-config-4b6f82h98b
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -3744,6 +3744,13 @@ data:
     # for the GRE tunnel type.
     enableIPSecTunnel: true
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
     # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
     # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
@@ -3892,7 +3899,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-5mt4h4g8tk
+  name: antrea-config-cgf9d9c2k4
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3972,7 +3979,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-5mt4h4g8tk
+          value: antrea-config-cgf9d9c2k4
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4023,7 +4030,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-5mt4h4g8tk
+          name: antrea-config-cgf9d9c2k4
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4354,7 +4361,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-5mt4h4g8tk
+          name: antrea-config-cgf9d9c2k4
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -3744,6 +3744,13 @@ data:
     # for the GRE tunnel type.
     #enableIPSecTunnel: false
 
+    # Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+    # for encap mode.
+    #enableWireGuardTunnel: false
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
+
     # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
     # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
     # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
@@ -3892,7 +3899,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-2567tcm8ck
+  name: antrea-config-5b4gdcddbm
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3963,7 +3970,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-2567tcm8ck
+          value: antrea-config-5b4gdcddbm
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4014,7 +4021,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-2567tcm8ck
+          name: antrea-config-5b4gdcddbm
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4310,7 +4317,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-2567tcm8ck
+          name: antrea-config-5b4gdcddbm
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -81,6 +81,13 @@ featureGates:
 # for the GRE tunnel type.
 #enableIPSecTunnel: false
 
+# Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
+# for encap mode.
+#enableWireGuardTunnel: false
+
+# The port for WireGuard to receive traffic.
+#wireGuardPort: 51850
+
 # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
 # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
 # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.

cmd/antrea-agent/agent.go

@@ -117,7 +117,10 @@ func run(o *Options) error {
 	networkConfig := &config.NetworkConfig{
 		TunnelType:        ovsconfig.TunnelType(o.config.TunnelType),
 		TrafficEncapMode:  encapMode,
-		EnableIPSecTunnel: o.config.EnableIPSecTunnel}
+		EnableIPSecTunnel: o.config.EnableIPSecTunnel,
+		EnableWireGuard:   o.config.EnableWireGuard,
+		WireGuardPort:     o.config.WireGuardPort,
+	}
 
 	routeClient, err := route.NewClient(serviceCIDRNet, networkConfig, o.config.NoSNAT)
 	if err != nil {
@@ -164,7 +167,8 @@ func run(o *Options) error {
 		routeClient,
 		ifaceStore,
 		networkConfig,
-		nodeConfig)
+		nodeConfig,
+		agentInitializer.GetWireGuardClient())
 
 	var proxier proxy.Proxier
 	if features.DefaultFeatureGate.Enabled(features.AntreaProxy) {

cmd/antrea-agent/config.go

@@ -95,6 +95,12 @@ type AgentConfig struct {
 	// through an environment variable: ANTREA_IPSEC_PSK.
 	// Defaults to false.
 	EnableIPSecTunnel bool `yaml:"enableIPSecTunnel,omitempty"`
+	// Whether or not to enable WireGuard encryption for Pod traffic across Nodes. Currently WireGuard
+	// is supported only with encap mode.
+	EnableWireGuard bool `yaml:"enableWireGuardTunnel,omitempty"`
+	// WireGuardPort is the port for the WireGuard to receive traffic.
+	// Defaults to 51850
+	WireGuardPort int `yaml:"wireGuardPort,omitempty"`
 	// APIPort is the port for the antrea-agent APIServer to serve on.
 	// Defaults to 10350.
 	APIPort int `yaml:"apiPort,omitempty"`

cmd/antrea-agent/options.go

@@ -137,6 +137,9 @@ func (o *Options) validate(args []string) error {
 		if o.config.EnableIPSecTunnel {
 			return fmt.Errorf("IPsec tunnel may only be enabled in %s mode", config.TrafficEncapModeEncap)
 		}
+		if o.config.EnableWireGuard {
+			return fmt.Errorf("WireGuard tunnel may only be enabled in %s mode", config.TrafficEncapModeEncap)
+		}
 	}
 	if o.config.NoSNAT && !(encapMode == config.TrafficEncapModeNoEncap || encapMode == config.TrafficEncapModeNetworkPolicyOnly) {
 		return fmt.Errorf("noSNAT is only applicable to the %s mode", config.TrafficEncapModeNoEncap)

cmd/antrea-agent/options_windows.go

@@ -51,7 +51,9 @@ func (o *Options) checkUnsupportedFeatures() error {
 	if o.config.EnableIPSecTunnel {
 		unsupported = append(unsupported, "IPsecTunnel")
 	}
-
+	if o.config.EnableWireGuard {
+		unsupported = append(unsupported, "WireGuard")
+	}
 	if unsupported != nil {
 		return fmt.Errorf("unsupported features on Windows: {%s}", strings.Join(unsupported, ", "))
 	}

cmd/antrea-agent/options_windows_test.go

@@ -69,6 +69,11 @@ func TestCheckUnsupportedFeatures(t *testing.T) {
 			AgentConfig{EnableIPSecTunnel: true},
 			false,
 		},
+		{
+			"WireGuard tunnel",
+			AgentConfig{EnableWireGuard: true},
+			false,
+		},
 		{
 			"hybrid mode and GRE tunnel",
 			AgentConfig{TrafficEncapMode: config.TrafficEncapModeHybrid.String(), TunnelType: ovsconfig.GRETunnel},

go.mod

@@ -41,15 +41,16 @@ require (
 	github.com/streamrail/concurrent-map v0.0.0-20160823150647-8bf1e9bacbf6 // indirect
 	github.com/stretchr/testify v1.6.1
 	github.com/ti-mo/conntrack v0.3.0
-	github.com/vishvananda/netlink v1.1.0
+	github.com/vishvananda/netlink v1.1.1-0.20210510164352-d17758a128bf
 	github.com/vmware/go-ipfix v0.5.4
-	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
+	golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e
 	golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6
 	golang.org/x/mod v0.4.2
-	golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4
+	golang.org/x/net v0.0.0-20210504132125-bbd867fde50d
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/sys v0.0.0-20210510120138-977fb7262007
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210506160403-92e472f520a5
 	google.golang.org/grpc v1.27.1
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v2 v2.4.0