-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add wireguard backend #1230
Add wireguard backend #1230
Conversation
666b780
to
8bc0c3b
Compare
Looks like removing vendor directory wasn't a reliable decision. I reverted this and rebased to latest changes. |
e806d62
to
f8b6c12
Compare
ec75ceb
to
2aeba33
Compare
25a77cc
to
95bee33
Compare
It's ready to be reviewed. Beside provided e2e tests I did some manual tests with a kubernetes cluster. |
Hey @andreek , could you please rebase? I will be able to review this PR in the next days |
3057696
to
9463414
Compare
Hey @manuelbuil, thank you for your time. The rebase is done. The e2e-tests are not working anymore. If I'm running Running tests in dist/functional-test.sh
Running test_hostgw_perf... Error: client: etcd cluster is unavailable or misconfigured; error #0: client: endpoint http://10.244.2.1:2379 exceeded header timeout
error #0: client: endpoint http://10.244.2.1:2379 exceeded header timeout This error message I can even reproduce with current master branch. And I guess this is also the reason why the pipeline on this PR did not pass. But I'm still waiting to see some logs from actions. Can you maybe give any feedback to this issue? After fixing the pipeline I want to add another change. Currently the private key is generated every time flannel spawns. I think it would be the better solution to store the key in flannel config dir and only generate the key if the file does not exists. I'm looking forward to implement this change on the weekend. I would give you a ping when I added this change to the PR. |
4c5aa7c
to
765b029
Compare
No worries! Thanks for you work. I don't see anything in the flannel logs. It'd be great if you could try to reproduce it, I hope it is not something related to my env. |
I was not able to reproduce this problem. I have deployed a small kubernetes cluster (1 control plane / 2 nodes) and applied Can you describe in more detail how you deployed flannel in your cluster? |
I tried again with the latest code and it worked :) |
Could you add a comment on top of |
5fd7a39
to
b8274d8
Compare
tested dual-stack and works too :) |
5ba1414
to
bbd01fc
Compare
@manuelbuil squashed |
To put code where my mount is wrt. #1230 (comment) Flannel implementation of a single wg dev: https://github.com/sjoerdsimons/flannel/tree/wip/sjoerd/wireguard-single-dev As an example of how the wireguard interface (can) end up:
The main idea for the endpoint is to use a heuristic to pick the address family that is the most likely to end up with a working connection. Obviously a next step might be to also make this configurable so it can be user overridden. And as mentioned before as long as one side of the tunnel can connect to the other everything is happy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general looks good, thanks for working on that! Just some minor comments about:
- error wrapping
- using
defer
, especially if there are error checks beforeclient.Close()
- one code duplication which probably would be nice to break into more pieces, if possible
Thanks for the review. Applied your suggestions and reduced code duplication. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! LGTM
@andreek just asking back, did take a look at the proposed implementation from #1230 (comment), which handles both v4 and v6 in the same wg dev? I don't think we should default to requiring public IPv4 and IPv6 adresses to work, but I'd rather prefer above behaviour by default. If you disagree, this implementation should still have some docs explaining the current behaviour, and the differences. It might be seen as a regression, at least for people coming from the k3s wireguard implementation. |
I noticed it, but I gave a detailed response on this decision in the other thread. Believe me in the first prototype implementation of dual-stack I did it the same way. But if you look deeper into the implementation of dual-stack in flannel you'll notice that it is a rude decision to completely ignore either the v4 or v6 public address. So I still think it's the best way to integrate wireguard in the current implementation of dual-stack in flannel. My suggestion is still to add configuration for the wireguard backend that will opt-in for v4 or v6 only in the inter-host communication in dual-stack mode. But as I mentioned I want to address this by another PR, because it takes some refactoring to do this in a readable fashion and it requires more testing.
Will add a comment to Can you explain the regression to me? Because I don't see there is dual-stack support for wireguard now. And k3s is requiring a public v6 address as well for dual-stack support: |
dcd3a14
to
98e904a
Compare
Added the comment mentioned, rebased and squashed. |
Eww, you're right. The whole extension framework is IPv4 only - I thought
Alright, then let's tackle this in a followup PR. |
98e904a
to
4c5f708
Compare
Just did a minor update, because I found some error logs which aren't using error wrapping. |
No it requires a ipv6 address on the interface; A link-local address is enough, there is no strict requirement for a public ipv6 address. |
Why is it rude to ignore it? They're just potential tunnel endpoints (it's unfortunate you can only provide one endpoint to the kernel). I still failed to find a good reason for this particular, and somewhat surprising, approach...
... but please don't block this on my behalf. Adding configuration later for a single wireguard interface, rather then one per address family later seems reasonable. |
I think we all agree that the extra config can be added in a later patch. Let's merge this one then! Thanks @andreek, great work! |
Description
Adds wireguard support to flannel. Based on the extension backend example.
Add dependency wgctrl-go to manage wireguard device.
A dependency of wgctrl-go forced me to update go version. I migrated glide to go modules according to this guide.I marked this as WIP, because I disabled ipsec tests. Read more about the problem in #1211. I will rebase and change title when we have a solution for this issue.Fixed by 5dc1ff6 / 117c102Todos
Release Note