[cilium] Add support for encryption via WireGuard

In this commit, we enable users to choose WireGuard as their prefered
encryption type, leveraging this new feature from Cilium.

Ref: https://cilium.io/blog/2021/05/20/cilium-110#wireguard

Signed-off-by: dntosas <ntosas@gmail.com>
This commit is contained in:
dntosas 2021-06-16 16:39:38 +03:00 committed by Ole Markus With
parent bd58b66c31
commit 0e8d189aee
7 changed files with 39 additions and 1 deletions

View File

@ -3653,6 +3653,10 @@ spec:
description: EnableIpv6 is not implemented and may be removed
in the future. Setting this has no effect.
type: boolean
encryptionType:
description: 'EncryptionType specifies Cilium Encryption method
("ipsec", "wireguard"). Default: ipsec'
type: string
envoyLog:
description: EnvoyLog is not implemented and may be removed
in the future. Setting this has no effect.

View File

@ -343,6 +343,9 @@ type CiliumNetworkingSpec struct {
// EnableEncryption enables Cilium Encryption.
// Default: false
EnableEncryption bool `json:"enableEncryption,omitempty"`
// EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
// Default: ipsec
EncryptionType string `json:"encryptionType,omitempty"`
// EnvoyLog is not implemented and may be removed in the future.
// Setting this has no effect.
EnvoyLog string `json:"envoyLog,omitempty"`

View File

@ -343,6 +343,9 @@ type CiliumNetworkingSpec struct {
// EnableEncryption enables Cilium Encryption.
// Default: false
EnableEncryption bool `json:"enableEncryption,omitempty"`
// EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
// Default: ipsec
EncryptionType string `json:"encryptionType,omitempty"`
// EnvoyLog is not implemented and may be removed in the future.
// Setting this has no effect.
EnvoyLog string `json:"envoyLog,omitempty"`

View File

@ -1774,6 +1774,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
out.EnableTracing = in.EnableTracing
out.EnablePrometheusMetrics = in.EnablePrometheusMetrics
out.EnableEncryption = in.EnableEncryption
out.EncryptionType = in.EncryptionType
out.EnvoyLog = in.EnvoyLog
out.IdentityAllocationMode = in.IdentityAllocationMode
out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod
@ -1881,6 +1882,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *
out.EnableTracing = in.EnableTracing
out.EnablePrometheusMetrics = in.EnablePrometheusMetrics
out.EnableEncryption = in.EnableEncryption
out.EncryptionType = in.EncryptionType
out.EnvoyLog = in.EnvoyLog
out.IdentityAllocationMode = in.IdentityAllocationMode
out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod

View File

@ -879,8 +879,24 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
allErrs = append(allErrs, IsValidValue(fldPath.Child("bpfLBAlgorithm"), &v.BPFLBAlgorithm, []string{"random", "maglev"})...)
}
// Cilium with Wireguard integration follow-up --> https://github.com/cilium/cilium/issues/15462.
// The following rule of validation should be deleted as this combination
// will be supported on future releases of Cilium (>= v1.11.0).
if v.EncryptionType == "wireguard" && v.EnableEncryption && fi.BoolValue(v.EnableL7Proxy) {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("encryptionType"), "Cilium EncryptionType=WireGuard cannot work with L7 Proxy enabled."))
}
if v.EncryptionType != "" {
allErrs = append(allErrs, IsValidValue(fldPath.Child("encryptionType"), &v.EncryptionType, []string{"ipsec", "wireguard"})...)
version, _ := semver.Parse(v.Version)
if v.EncryptionType == "wireguard" && version.Minor < 10 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("encryptionType"), "Cilium EncryptionType=WireGuard is not available for Cilium version < 1.10.0."))
}
}
if fi.BoolValue(v.EnableL7Proxy) && v.IPTablesRulesNoinstall {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires IPTablesRules to be installed"))
allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires IPTablesRules to be installed."))
}
if v.Ipam != "" {

View File

@ -149,6 +149,10 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
c.MemoryRequest = &defaultMemoryRequest
}
if c.EncryptionType == "" {
c.EncryptionType = "ipsec"
}
hubble := c.Hubble
if hubble != nil {
if hubble.Enabled == nil {

View File

@ -83,10 +83,16 @@ data:
operator-prometheus-serve-addr: ":6942"
enable-metrics: "true"
{{ end }}
{{ if .EnableEncryption }}
{{ if eq .EncryptionType "ipsec" }}
enable-ipsec: "true"
ipsec-key-file: /etc/ipsec/keys
{{ else if eq .EncryptionType "wireguard" }}
enable-wireguard: "true"
{{ end }}
{{ end }}
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
# address.
enable-ipv4: "{{ not IsIPv6Only }}"