Merge pull request #12158 from olemarkus/cilium-wireguard-support

Cilium wireguard support
2021-08-16 23:18:00 -07:00 · 2021-08-16 23:18:00 -07:00 · be493f1788
parent fdba8f24c7 3b78a29f7c
commit be493f1788
10 changed files with 70 additions and 2 deletions
--- a/docs/networking/cilium.md
+++ b/docs/networking/cilium.md
@ -136,6 +136,8 @@ Note that since Cilium Operator is the entity that interacts with the EC2 API to
 Also note that this feature has only been tested on the default kOps AMIs.

 #### Enabling Encryption in Cilium
+
+##### ipsec
 {{ kops_feature_table(kops_added_default='1.19', k8s_min='1.17') }}

 As of kOps 1.19, it is possible to enable encryption for Cilium agent.
@ -153,6 +155,20 @@ Once the secret has been created, encryption can be enabled by setting `enableEn
      enableEncryption: true
 ```

+##### wireguard
+{{ kops_feature_table(kops_added_default='1.22', k8s_min='1.17') }}
+
+Cilium can make use of the [wireguard protocol for transparent encryption](https://docs.cilium.io/en/v1.10/gettingstarted/encryption-wireguard/). Take care to familiarise yourself with the [limitations](https://docs.cilium.io/en/v1.10/gettingstarted/encryption-wireguard/#limitations).
+
+```yaml
+  networking:
+    cilium:
+      enableEncryption: true
+      enableL7Proxy: false
+      encryptionType: wireguard
+```
+
+
 #### Resources in Cilium
 {{ kops_feature_table(kops_added_default='1.21', k8s_min='1.20') }}

--- a/docs/releases/1.22-NOTES.md
+++ b/docs/releases/1.22-NOTES.md
@ -116,6 +116,8 @@ Currently this is only available using the AWS cloud provider.
  The previous behavior of using self-signed certs may be restored by setting `kubeControllerManager.tlsCertFile` and/or
  `kubeScheduler.tlsCertFile` to `""` in the cluster spec.

+* Cilium now supports the wireguard protocol for transparent encryption.
+
 # Full change list since 1.21.0 release

 ## 1.22.0-alpha.1 to 1.22.0-alpha.2
--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@ -3653,6 +3653,10 @@ spec:
                        description: EnableIpv6 is not implemented and may be removed
                          in the future. Setting this has no effect.
                        type: boolean
+                      encryptionType:
+                        description: 'EncryptionType specifies Cilium Encryption method
+                          ("ipsec", "wireguard"). Default: ipsec'
+                        type: string
                      envoyLog:
                        description: EnvoyLog is not implemented and may be removed
                          in the future. Setting this has no effect.
--- a/pkg/apis/kops/networking.go
+++ b/pkg/apis/kops/networking.go
@ -266,6 +266,11 @@ type AmazonVPCNetworkingSpec struct {

 const CiliumIpamEni = "eni"

+type CiliumEncryptionType string
+
+const CiliumEncryptionTypeIPSec CiliumEncryptionType = "ipsec"
+const CiliumEncryptionTypeWireguard CiliumEncryptionType = "wireguard"
+
 // CiliumNetworkingSpec declares that we want Cilium networking
 type CiliumNetworkingSpec struct {
 	// Version is the version of the Cilium agent and the Cilium Operator.
@ -343,6 +348,9 @@ type CiliumNetworkingSpec struct {
 	// EnableEncryption enables Cilium Encryption.
 	// Default: false
 	EnableEncryption bool `json:"enableEncryption,omitempty"`
+	// EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
+	// Default: ipsec
+	EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"`
 	// EnvoyLog is not implemented and may be removed in the future.
 	// Setting this has no effect.
 	EnvoyLog string `json:"envoyLog,omitempty"`
--- a/pkg/apis/kops/v1alpha2/networking.go
+++ b/pkg/apis/kops/v1alpha2/networking.go
@ -266,6 +266,11 @@ type AmazonVPCNetworkingSpec struct {

 const CiliumIpamEni = "eni"

+type CiliumEncryptionType string
+
+const CiliumEncryptionTypeIPSec CiliumEncryptionType = "ipsec"
+const CiliumEncryptionTypeWireguard CiliumEncryptionType = "wireguard"
+
 // CiliumNetworkingSpec declares that we want Cilium networking
 type CiliumNetworkingSpec struct {
 	// Version is the version of the Cilium agent and the Cilium Operator.
@ -343,6 +348,9 @@ type CiliumNetworkingSpec struct {
 	// EnableEncryption enables Cilium Encryption.
 	// Default: false
 	EnableEncryption bool `json:"enableEncryption,omitempty"`
+	// EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
+	// Default: ipsec
+	EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"`
 	// EnvoyLog is not implemented and may be removed in the future.
 	// Setting this has no effect.
 	EnvoyLog string `json:"envoyLog,omitempty"`
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@ -1774,6 +1774,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	out.EnableTracing = in.EnableTracing
 	out.EnablePrometheusMetrics = in.EnablePrometheusMetrics
 	out.EnableEncryption = in.EnableEncryption
+	out.EncryptionType = kops.CiliumEncryptionType(in.EncryptionType)
 	out.EnvoyLog = in.EnvoyLog
 	out.IdentityAllocationMode = in.IdentityAllocationMode
 	out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod
@ -1881,6 +1882,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *
 	out.EnableTracing = in.EnableTracing
 	out.EnablePrometheusMetrics = in.EnablePrometheusMetrics
 	out.EnableEncryption = in.EnableEncryption
+	out.EncryptionType = CiliumEncryptionType(in.EncryptionType)
 	out.EnvoyLog = in.EnvoyLog
 	out.IdentityAllocationMode = in.IdentityAllocationMode
 	out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@ -845,6 +845,10 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 				allErrs = append(allErrs, field.Forbidden(fldPath.Child("hubble", "enabled"), "Hubble requires that cert manager is enabled"))
 			}
 		}
+
+		if version.Minor < 10 && v.EncryptionType == kops.CiliumEncryptionTypeWireguard {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("encryptionType"), "Cilium EncryptionType=WireGuard is not available for Cilium version < 1.10.0."))
+		}
 	}

 	if v.EnableNodePort && c.KubeProxy != nil && (c.KubeProxy.Enabled == nil || *c.KubeProxy.Enabled) {
@ -879,8 +883,22 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 		allErrs = append(allErrs, IsValidValue(fldPath.Child("bpfLBAlgorithm"), &v.BPFLBAlgorithm, []string{"random", "maglev"})...)
 	}

+	if v.EncryptionType != "" {
+		encryptionType := string(v.EncryptionType)
+		allErrs = append(allErrs, IsValidValue(fldPath.Child("encryptionType"), &encryptionType, []string{"ipsec", "wireguard"})...)
+
+		if v.EncryptionType == "wireguard" {
+			// Cilium with Wireguard integration follow-up --> https://github.com/cilium/cilium/issues/15462.
+			// The following rule of validation should be deleted as this combination
+			// will be supported on future releases of Cilium (>= v1.11.0).
+			if fi.BoolValue(v.EnableL7Proxy) {
+				allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "L7 proxy cannot be enabled if wireguard is enabled."))
+			}
+		}
+	}
+
 	if fi.BoolValue(v.EnableL7Proxy) && v.IPTablesRulesNoinstall {
-		allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires IPTablesRules to be installed"))
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires IPTablesRules to be installed."))
 	}

 	if v.Ipam != "" {
--- a/pkg/model/components/cilium.go
+++ b/pkg/model/components/cilium.go
@ -149,6 +149,10 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 		c.MemoryRequest = &defaultMemoryRequest
 	}

+	if c.EnableEncryption && c.EncryptionType == "" {
+		c.EncryptionType = kops.CiliumEncryptionTypeIPSec
+	}
+
 	hubble := c.Hubble
 	if hubble != nil {
 		if hubble.Enabled == nil {
--- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template
@ -83,10 +83,16 @@ data:
  operator-prometheus-serve-addr: ":6942"
  enable-metrics: "true"
  {{ end }}
+
  {{ if .EnableEncryption }}
+  {{ if eq .EncryptionType "ipsec" }}
  enable-ipsec: "true"
  ipsec-key-file: /etc/ipsec/keys
+  {{ else if eq .EncryptionType "wireguard"  }}
+  enable-wireguard: "true"
  {{ end }}
+  {{ end }}
+
  # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
  # address.
  enable-ipv4: "{{ not IsIPv6Only }}"
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -360,7 +360,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
 	}

 	ciliumSpec := c.Cluster.Spec.Networking.Cilium
-	if ciliumSpec != nil && ciliumSpec.EnableEncryption {
+	if ciliumSpec != nil && ciliumSpec.EnableEncryption && ciliumSpec.EncryptionType == kops.CiliumEncryptionTypeIPSec {
 		secret, err := secretStore.FindSecret("ciliumpassword")
 		if err != nil {
 			return fmt.Errorf("could not load the ciliumpassword secret: %w", err)