Add WireGuard support for tunnel traffic encryption

This PR implements antrea-io#2243. Change tunnel traffic encryption option
to enum type. The options contains none (default), ipsec and wireguard.

Signed-off-by: Xu Liu <[email protected]>

build/images/scripts/install_cni

@@ -33,5 +33,9 @@ install -m 755 /opt/cni/bin/whereabouts /host/opt/cni/bin/whereabouts
 # Load the OVS kernel module
 modprobe openvswitch || (echo "Failed to load the OVS kernel module from the container, try running 'modprobe openvswitch' on your Nodes"; exit 1)
 
+# Load the WireGuard kernel module. This is only required when WireGuard encryption is enabled.
+# We could parse the antrea config file in the init-container to dynamically load this kernel module in the future.
+modprobe wireguard || (echo "Failed to load the WireGuard kernel module, WireGuard encryption will not be available")
+
 # Change the default permissions of the run directory.
 chmod 0750 /var/run/antrea

build/images/wireguard-go/Dockerfile

@@ -0,0 +1,15 @@
+FROM golang:1.16 as builder
+
+RUN git clone https://git.zx2c4.com/wireguard-go && \
+    cd wireguard-go && \
+    make && \ 
+    make install
+
+RUN git clone https://git.zx2c4.com/wireguard-tools && \
+    cd wireguard-tools && \
+    cd src && \
+    make && \
+    make install
+
+FROM ubuntu:20.04
+COPY --from=builder /usr/bin/wireguard-go /usr/bin/wg /usr/bin/

build/images/wireguard-go/README.md

@@ -0,0 +1,17 @@
+# images/wireguard-go
+
+This Docker image is a very lightweight image based on Ubuntu 20.04 which
+includes WireGuard golang implementation and wireguard-tools. It can be used
+for Kind clusters for tests when injected as a sidecar to antrea-agent.
+
+If you need to build a new version of the image and push it to Dockerhub, you
+can run the following:
+
+```bash
+cd build/images/wireguard-go
+docker build -t antrea/wireguard-go:latest .
+docker push antrea/wireguard-go:latest
+```
+
+The `docker push` command will fail if you do not have permission to push to the
+`antrea` Dockerhub repository.

build/yamls/antrea-aks.yml

@@ -3801,6 +3801,9 @@ data:
     # Make sure it doesn't conflict with your existing interfaces.
     #hostGateway: antrea-gw0
 
+    # Name of the interface antrea-agent will create and use for WireGuard traffic encryption.
+    #wireGuardInterfaceName: antrea-wg0
+
     # Determines how traffic is encapsulated. It has the following options:
     # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
     #                    traffic is SNAT'd.
@@ -3832,8 +3835,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    #enableIPSecTunnel: false
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireguard:       Enable WireGuard for tunnel traffic encryption.
+    #trafficEncryptionMode: none
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
 
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
@@ -3983,7 +3996,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-66dt98cgtb
+  name: antrea-config-b8dc5gg2d2
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4054,7 +4067,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-66dt98cgtb
+          value: antrea-config-b8dc5gg2d2
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4105,7 +4118,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-66dt98cgtb
+          name: antrea-config-b8dc5gg2d2
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4386,7 +4399,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-66dt98cgtb
+          name: antrea-config-b8dc5gg2d2
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -3801,6 +3801,9 @@ data:
     # Make sure it doesn't conflict with your existing interfaces.
     #hostGateway: antrea-gw0
 
+    # Name of the interface antrea-agent will create and use for WireGuard traffic encryption.
+    #wireGuardInterfaceName: antrea-wg0
+
     # Determines how traffic is encapsulated. It has the following options:
     # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
     #                    traffic is SNAT'd.
@@ -3832,8 +3835,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    #enableIPSecTunnel: false
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireguard:       Enable WireGuard for tunnel traffic encryption.
+    #trafficEncryptionMode: none
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
 
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
@@ -3983,7 +3996,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-66dt98cgtb
+  name: antrea-config-b8dc5gg2d2
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4054,7 +4067,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-66dt98cgtb
+          value: antrea-config-b8dc5gg2d2
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4105,7 +4118,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-66dt98cgtb
+          name: antrea-config-b8dc5gg2d2
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4388,7 +4401,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-66dt98cgtb
+          name: antrea-config-b8dc5gg2d2
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -3801,6 +3801,9 @@ data:
     # Make sure it doesn't conflict with your existing interfaces.
     #hostGateway: antrea-gw0
 
+    # Name of the interface antrea-agent will create and use for WireGuard traffic encryption.
+    #wireGuardInterfaceName: antrea-wg0
+
     # Determines how traffic is encapsulated. It has the following options:
     # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
     #                    traffic is SNAT'd.
@@ -3832,8 +3835,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    #enableIPSecTunnel: false
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireguard:       Enable WireGuard for tunnel traffic encryption.
+    #trafficEncryptionMode: none
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
 
     # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
     # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
@@ -3983,7 +3996,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-d2f597tg62
+  name: antrea-config-242t7c74gb
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4054,7 +4067,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-d2f597tg62
+          value: antrea-config-242t7c74gb
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4105,7 +4118,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-d2f597tg62
+          name: antrea-config-242t7c74gb
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4389,7 +4402,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-d2f597tg62
+          name: antrea-config-242t7c74gb
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -3801,6 +3801,9 @@ data:
     # Make sure it doesn't conflict with your existing interfaces.
     #hostGateway: antrea-gw0
 
+    # Name of the interface antrea-agent will create and use for WireGuard traffic encryption.
+    #wireGuardInterfaceName: antrea-wg0
+
     # Determines how traffic is encapsulated. It has the following options:
     # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
     #                    traffic is SNAT'd.
@@ -3832,8 +3835,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    enableIPSecTunnel: true
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireguard:       Enable WireGuard for tunnel traffic encryption.
+    trafficEncryptionMode: ipsec
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
 
     # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
     # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
@@ -3988,7 +4001,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-bgd79km9c8
+  name: antrea-config-fk2557bh4f
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4068,7 +4081,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-bgd79km9c8
+          value: antrea-config-fk2557bh4f
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4119,7 +4132,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-bgd79km9c8
+          name: antrea-config-fk2557bh4f
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4435,7 +4448,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-bgd79km9c8
+          name: antrea-config-fk2557bh4f
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -3801,6 +3801,9 @@ data:
     # Make sure it doesn't conflict with your existing interfaces.
     #hostGateway: antrea-gw0
 
+    # Name of the interface antrea-agent will create and use for WireGuard traffic encryption.
+    #wireGuardInterfaceName: antrea-wg0
+
     # Determines how traffic is encapsulated. It has the following options:
     # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
     #                    traffic is SNAT'd.
@@ -3832,8 +3835,18 @@ data:
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
     #defaultMTU: 0
 
-    # Whether or not to enable IPsec encryption of tunnel traffic.
-    #enableIPSecTunnel: false
+    # Determines how tunnel traffic is encrypted. Currently encryption only works with antrea encap mode.
+    # It has the following options:
+    # - none (default):  Inter-node Pod traffic will not be encrypted.
+    # - ipsec:           Enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses
+    #                    Preshared Key (PSK) for IKE authentication. When IPSec tunnel is enabled,
+    #                    the PSK value must be passed to Antrea Agent through an environment
+    #                    variable: ANTREA_IPSEC_PSK.
+    # - wireguard:       Enable WireGuard for tunnel traffic encryption.
+    #trafficEncryptionMode: none
+
+    # The port for WireGuard to receive traffic.
+    #wireGuardPort: 51850
 
     # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
     # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
@@ -3988,7 +4001,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-dd8ffc8tk9
+  name: antrea-config-f2868hh5ch
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4059,7 +4072,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-dd8ffc8tk9
+          value: antrea-config-f2868hh5ch
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4110,7 +4123,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-dd8ffc8tk9
+          name: antrea-config-f2868hh5ch
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4391,7 +4404,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-dd8ffc8tk9
+          name: antrea-config-f2868hh5ch
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d