Refactor for initial release

[knisbet]

I realize you haven't really seen the prototype code, so this PR is really the initial commit to a CNI plugin utilizing wireguard. It's built on the initial design doc I shared and updated. It's also been converted to markdown so it can live inside the repo (docs/rfcs/0001-spec.md).

To try and summarize:

• The controller uses kubernetes crd objects for exchanging state and keys via the kubernetes API. The controller gets deployed to each node, which watches for these objects, and synchronizes the configuration with wireguard on the host to create a full mesh VPN between each network host and act as a cluster.
• The controller also uses a secret object for synchronizing pre-shared-keys for each host-pair. Currently this uses a single object, with last writer wins.
• On startup, all wireguard keys are rotated, effectively making the keys used ephemeral, and eliminating a need for long term secrets.
• The wireguard kernel module needs to be installed on the host ahead of time, I don't currently know how to load it from a docker container, that supports multiple kernel distros and releases.
• I'm currently using the wg cli from within the docker container of the controller to update the wg config. Eventually this should be able to use netlink, it's just updating the go netlink project is more than I want to tackle at the moment.
• I'm experimenting with using mage as a build system instead of make. Basically, it allows for writing the build scripting in go, which makes it easier to do certain types of logic. It's an experiment, but let me know what you think.
• /pkg/apis - This is the CRD definition, it requires a specific directory layout
• /pkg/client - automatically generated code
• /pkg/controller - this is the main controller logic
• /pkg/iptables - control loop for iptables related configuration
• /pkg/wireguard - separate package for controlling wireguard
• /hack - standardish kubernetes hack scripts for code generations
• /scripts - scripts to embed in the container for interop with gravity (use rigging for upgrde/rollback)

Sorry it's kind of big, but I changed and refactored lots of the internals as I went.

[r0mant]

Is this a common package naming pattern used for Kubernetes 3rd party APIs? Reads weird.

[knisbet]

Yes. I believe this is a required format / path structure to match the CRD group name as a path (wormhole.gravitational.io)

[r0mant]

If it's important for the node name to be an actual Kubernetes node name, I think it'll be more reliable to use Nodes API rather than relying on hostname.

[knisbet]

Sorry, I'm not sure I follow.

The normal flow is to read the Pod name/namespace from the environment, find the pod object for the controller, and read the node name from the spec.

when not running in a pod though, using the Nodes API, how do I find the Node object that matches the host the process is running on? I think we still need to come up with a name, which in some cases the os.Hostname() covers, and otherwise it needs to be passed as a flag to the process.

[a-palchikov]

For me none of the build targets work:

=====> Creating build container...

unable to prepare context: The Dockerfile (/home/deemok/go/src/github.com/gravitational/wormhole/Dockerfile.build) must be within the build context (./assets)
Error: running "docker build --pull --tag wormhole-build:0.0.1-9-g696cc34 --build-arg BUILD_IMAGE=golang:1.12.0 --build-arg GOLANGCI_VER=v1.15.0 -f Dockerfile.build ./assets" failed with exit code 1
exit status 1

is there a specific docker dependency?

Also, I cannot comment on multiple issues since they're not part of the commit.

[a-palchikov]

As far as I understand, Run is blocking - then watching for signals below is not working as expected - something needs to run in a goroutune.

[knisbet]

good catch, it originally worked differently and I missed the change. What i've done is move the signal handling to a separate routine, and cancels the context.

[a-palchikov]

Since I cannot comment on multiple issues which are not part of the commit, I'm going to resort to linking to specific file locations.

https://github.com/gravitational/wormhole/blob/kevin/master/productionalize/cmd/wormhole/controller.go#L149
nit: no need for the buffer > 1 here.

https://github.com/gravitational/wormhole/blob/kevin/master/productionalize/pkg/iptables/iptables.go#L46
there should be a Godoc that mentions that Run starts a new goroutine which will only be cancelled with ctx expiring.

https://github.com/gravitational/wormhole/blob/kevin/master/productionalize/pkg/iptables/iptables.go#L173
I think returning an error also for missing rules will let you get rid of the boolean return.

[knisbet]

@a-palchikov Re: the unable to build. It looks like the ability to have the dockerfile outside the build context was added in docker 18.03. I did it this way, just for a small optimization of keeping the build context smaller and not having to send built binaries, etc.

docker/cli#886

[a-palchikov]

seconds