External Network: gateway tunnel wireguard

.github/dependabot.yml

@@ -34,3 +34,8 @@ updates:
     directory: "/build/proxy"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/build/gateway/tunnel/wireguard"
+    schedule:
+      interval: "daily"

.github/workflows/integration.yml

@@ -90,8 +90,8 @@ jobs:
         - metric-agent
         - telemetry
         - proxy
+        - gateway/wireguard
     steps:
-
       - name: Set up QEMU
         uses: docker/[email protected]
         with:

Makefile

@@ -75,6 +75,7 @@ rbacs: controller-gen
 	$(CONTROLLER_GEN) paths="./cmd/uninstaller" rbac:roleName=liqo-pre-delete output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-pre-delete-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-pre-delete-ClusterRole.yaml
 	$(CONTROLLER_GEN) paths="./cmd/metric-agent" rbac:roleName=liqo-metric-agent output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-metric-agent-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-metric-agent-ClusterRole.yaml
 	$(CONTROLLER_GEN) paths="./cmd/telemetry" rbac:roleName=liqo-telemetry output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-telemetry-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-telemetry-ClusterRole.yaml
+	$(CONTROLLER_GEN) paths="./pkg/gateway/..." rbac:roleName=liqo-gateway output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-gateway-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-gateway-ClusterRole.yaml
 
 # Install gci if not available
 gci:

build/gateway/wireguard/Dockerfile

@@ -0,0 +1,20 @@
+FROM golang:1.21 as goBuilder
+WORKDIR /tmp/builder
+
+COPY go.mod ./go.mod
+COPY go.sum ./go.sum
+RUN  go mod download
+
+COPY . ./
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$(go env GOARCH) go build -ldflags="-s -w" ./cmd/gateway/wireguard
+
+
+FROM alpine:3.18
+
+RUN apk update && \
+    apk add iptables bash wireguard-tools tcpdump conntrack-tools curl iputils && \
+    rm -rf /var/cache/apk/*
+
+COPY --from=goBuilder /tmp/builder/wireguard /usr/bin/liqo-wireguard
+
+ENTRYPOINT [ "/usr/bin/liqo-wireguard" ]

cmd/gateway/wireguard/main.go

@@ -0,0 +1,164 @@
+// Copyright 2019-2023 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package wireguard contains the logic to configure the Wireguard interface.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/leaderelection/resourcelock"
+	"k8s.io/klog/v2"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	ipamv1alpha1 "github.com/liqotech/liqo/apis/ipam/v1alpha1"
+	networkingv1alpha1 "github.com/liqotech/liqo/apis/networking/v1alpha1"
+	"github.com/liqotech/liqo/pkg/gateway/tunnel/common"
+	"github.com/liqotech/liqo/pkg/gateway/tunnel/wireguard"
+	flagsutils "github.com/liqotech/liqo/pkg/utils/flags"
+	"github.com/liqotech/liqo/pkg/utils/mapper"
+	"github.com/liqotech/liqo/pkg/utils/restcfg"
+)
+
+var (
+	addToSchemeFunctions = []func(*runtime.Scheme) error{
+		corev1.AddToScheme,
+		networkingv1alpha1.AddToScheme,
+		ipamv1alpha1.AddToScheme,
+	}
+	options = wireguard.NewOptions()
+)
+
+func main() {
+	var cmd = cobra.Command{
+		Use:  "liqo-wireguard",
+		RunE: run,
+	}
+
+	legacyflags := flag.NewFlagSet("legacy", flag.ExitOnError)
+	restcfg.InitFlags(legacyflags)
+	klog.InitFlags(legacyflags)
+	flagsutils.FromFlagToPflag(legacyflags, cmd.Flags())
+
+	wireguard.InitFlags(cmd.Flags(), options)
+	if err := wireguard.MarkFlagsRequired(&cmd, options); err != nil {
+		klog.Error(err)
+		os.Exit(1)
+	}
+
+	if err := cmd.Execute(); err != nil {
+		klog.Error(err)
+		os.Exit(1)
+	}
+}
+
+func run(cmd *cobra.Command, _ []string) error {
+	var err error
+	scheme := runtime.NewScheme()
+
+	// Adds the APIs to the scheme.
+	for _, addToScheme := range addToSchemeFunctions {
+		if err = addToScheme(scheme); err != nil {
+			return fmt.Errorf("unable to add scheme: %w", err)
+		}
+	}
+
+	// Set controller-runtime logger.
+	log.SetLogger(klog.NewKlogr())
+
+	// Get the rest config.
+	cfg := config.GetConfigOrDie()
+
+	// Create the client. This client should be used only outside the reconciler.
+	// This client don't need a cache.
+	cl, err := client.New(cfg, client.Options{
+		Scheme: scheme,
+	})
+	if err != nil {
+		return fmt.Errorf("unable to create client: %w", err)
+	}
+
+	// Create the manager.
+	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+		MapperProvider:         mapper.LiqoMapperProvider(scheme),
+		Scheme:                 scheme,
+		Namespace:              options.Namespace,
+		MetricsBindAddress:     options.MetricsAddress,
+		HealthProbeBindAddress: options.ProbeAddr,
+		LeaderElection:         options.LeaderElection,
+		LeaderElectionID: fmt.Sprintf(
+			"%s.%s.%s.wgtunnel.liqo.io",
+			wireguard.GenerateResourceName(options.Name), options.Namespace, options.Mode,
+		),
+		LeaderElectionNamespace:       options.Namespace,
+		LeaderElectionReleaseOnCancel: true,
+		LeaderElectionResourceLock:    resourcelock.LeasesResourceLock,
+		LeaseDuration:                 &options.LeaderElectionLeaseDuration,
+		RenewDeadline:                 &options.LeaderElectionRenewDeadline,
+		RetryPeriod:                   &options.LeaderElectionRetryPeriod,
+	})
+	if err != nil {
+		return fmt.Errorf("unable to create manager: %w", err)
+	}
+
+	// Setup the controller.
+	pkr, err := wireguard.NewPublicKeysReconciler(
+		mgr.GetClient(),
+		mgr.GetScheme(),
+		mgr.GetEventRecorderFor("public-keys-controller"),
+		options,
+	)
+	if err != nil {
+		return fmt.Errorf("unable to create public keys reconciler: %w", err)
+	}
+
+	dnsChan := make(chan event.GenericEvent)
+	if options.Mode == common.ModeClient {
+		if wireguard.IsDNSRoutineRequired(options) {
+			go wireguard.StartDNSRoutine(cmd.Context(), dnsChan, options)
+			klog.Infof("Starting DNS routine: resolving the endpoint address every %s", options.DNSCheckInterval.String())
+		} else {
+			options.EndpointIP = net.ParseIP(options.EndpointAddress)
+			klog.Infof("Setting static endpoint IP: %s", options.EndpointIP.String())
+		}
+	}
+
+	// Setup the controller.
+	if err = pkr.SetupWithManager(mgr, dnsChan); err != nil {
+		return fmt.Errorf("unable to setup public keys reconciler: %w", err)
+	}
+
+	// Ensure presence of Secret with private and public keys.
+	if err = wireguard.EnsureKeysSecret(cmd.Context(), cl, options); err != nil {
+		return fmt.Errorf("unable to manage wireguard keys secret: %w", err)
+	}
+
+	// Create the wg-liqo interface and init the wireguard configuration depending on the mode (client/server).
+	if err := wireguard.InitWireguardLink(options); err != nil {
+		return fmt.Errorf("unable to init wireguard link: %w", err)
+	}
+
+	// Start the manager.
+	return mgr.Start(cmd.Context())
+}

deployments/liqo/files/liqo-gateway-ClusterRole.yaml

@@ -0,0 +1,21 @@
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+- apiGroups:
+  - networking.liqo.io
+  resources:
+  - publickeys
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update

deployments/liqo/templates/liqo-gateway-rbac.yaml

@@ -0,0 +1,14 @@
+---
+{{- $gatewayConfig := (merge (dict "name" "gateway" "module" "networking") .) -}}
+
+{{- if .Values.networking.internal }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "liqo.prefixedName" $gatewayConfig }}
+  labels:
+    {{- include "liqo.labels" $gatewayConfig | nindent 4 }}
+{{ .Files.Get (include "liqo.cluster-role-filename" (dict "prefix" ( include "liqo.prefixedName" $gatewayConfig))) }}
+
+{{- end }}

pkg/consts/externalnetwork.go

@@ -30,6 +30,8 @@ const (
 	// GatewayTypeClient indicates a Gateway of type client.
 	GatewayTypeClient = "client"
 
+	// PrivateKeyField is the data field of the secrets containing private keys.
+	PrivateKeyField = "privateKey"
 	// PublicKeyField is the data field of the secrets containing public keys.
 	PublicKeyField = "publicKey"
 )

pkg/gateway/tunnel/common/doc.go

@@ -0,0 +1,16 @@
+// Copyright 2019-2023 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package common contains the common functions used by the tunneling package.
+package common

pkg/gateway/tunnel/common/netlink.go

@@ -0,0 +1,32 @@
+// Copyright 2019-2023 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package common
+
+import "github.com/vishvananda/netlink"
+
+// AddAddress adds an IP address to the Wireguard interface.
+func AddAddress(link netlink.Link, ip string) error {
+	addr, err := netlink.ParseAddr(ip)
+	if err != nil {
+		return err
+	}
+
+	return netlink.AddrAdd(link, addr)
+}
+
+// GetLink returns the Wireguard interface.
+func GetLink(name string) (netlink.Link, error) {
+	return netlink.LinkByName(name)
+}

pkg/gateway/tunnel/common/options.go

@@ -0,0 +1,51 @@
+// Copyright 2019-2023 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package common
+
+import (
+	"fmt"
+)
+
+// Mode is the mode in which the wireguard interface is configured.
+type Mode string
+
+const (
+	// ModeServer is the mode in which the wireguard interface is configured as a server.
+	ModeServer Mode = "server"
+	// ModeClient is the mode in which the wireguard interface is configured as a client.
+	ModeClient Mode = "client"
+)
+
+// String returns the string representation of the mode.
+func (m Mode) String() string {
+	return string(m)
+}
+
+// Set sets the value of the mode.
+func (m *Mode) Set(value string) error {
+	if value == "" {
+		return fmt.Errorf("mode cannot be empty")
+	}
+	if value != ModeServer.String() && value != ModeClient.String() {
+		return fmt.Errorf("invalid mode %q", value)
+	}
+	*m = Mode(value)
+	return nil
+}
+
+// Type returns the type of the mode.
+func (m *Mode) Type() string {
+	return "string"
+}