Skip to content

Commit

Permalink
gateway external secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
aleoli committed Oct 2, 2024
1 parent 523cbc0 commit a3e0804
Show file tree
Hide file tree
Showing 25 changed files with 396 additions and 107 deletions.
3 changes: 3 additions & 0 deletions apis/networking/v1beta1/gatewayclient_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ type GatewayClientSpec struct {
MTU int `json:"mtu,omitempty"`
// Endpoint specifies the endpoint of the tunnel.
Endpoint EndpointStatus `json:"endpoint,omitempty"`
// SecretRef specifies the reference to the secret containing the wireguard configuration.
// Leave it empty to let the operator create a new secret.
SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
}

// GatewayClientStatus defines the observed state of GatewayClient.
Expand Down
3 changes: 3 additions & 0 deletions apis/networking/v1beta1/gatewayserver_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ type GatewayServerSpec struct {
MTU int `json:"mtu,omitempty"`
// Endpoint specifies the endpoint of the tunnel.
Endpoint Endpoint `json:"endpoint,omitempty"`
// SecretRef specifies the reference to the secret containing the wireguard configuration.
// Leave it empty to let the operator create a new secret.
SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
}

// EndpointStatus defines the observed state of the endpoint.
Expand Down
3 changes: 3 additions & 0 deletions apis/networking/v1beta1/wggatewayclient_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ type WgGatewayClientSpec struct {
Deployment DeploymentTemplate `json:"deployment"`
// Metrics specifies the metrics configuration for the client.
Metrics *Metrics `json:"metrics,omitempty"`
// SecretRef specifies the reference to the secret containing the wireguard configuration.
// Leave it empty to let the operator create a new secret.
SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
}

// WgGatewayClientStatus defines the observed state of WgGatewayClient.
Expand Down
3 changes: 3 additions & 0 deletions apis/networking/v1beta1/wggatewayserver_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ type WgGatewayServerSpec struct {
Deployment DeploymentTemplate `json:"deployment"`
// Metrics specifies the metrics configuration for the server.
Metrics *Metrics `json:"metrics,omitempty"`
// SecretRef specifies the reference to the secret containing the wireguard configuration.
// Leave it empty to let the operator create a new secret.
SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
}

// WgGatewayServerStatus defines the observed state of WgGatewayServer.
Expand Down
4 changes: 4 additions & 0 deletions apis/networking/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 3 additions & 13 deletions cmd/gateway/wireguard/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (
"k8s.io/klog/v2"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/config"
"sigs.k8s.io/controller-runtime/pkg/event"
"sigs.k8s.io/controller-runtime/pkg/log"
Expand Down Expand Up @@ -90,15 +89,6 @@ func run(cmd *cobra.Command, _ []string) error {
// Get the rest config.
cfg := config.GetConfigOrDie()

// Create the client. This client should be used only outside the reconciler.
// This client don't need a cache.
cl, err := client.New(cfg, client.Options{
Scheme: scheme,
})
if err != nil {
return fmt.Errorf("unable to create client: %w", err)
}

// Create the manager.
mgr, err := ctrl.NewManager(cfg, ctrl.Options{
MapperProvider: mapper.LiqoMapperProvider(scheme),
Expand Down Expand Up @@ -155,9 +145,9 @@ func run(cmd *cobra.Command, _ []string) error {
return fmt.Errorf("unable to setup public keys reconciler: %w", err)
}

// Ensure presence of Secret with private and public keys.
if err = wireguard.EnsureKeysSecret(cmd.Context(), cl, options); err != nil {
return fmt.Errorf("unable to manage wireguard keys secret: %w", err)
// Load keys.
if err := wireguard.LoadKeys(options); err != nil {
return fmt.Errorf("unable to load keys: %w", err)
}

// Create the wg-liqo interface and init the wireguard configuration depending on the mode (client/server).
Expand Down
14 changes: 10 additions & 4 deletions cmd/liqo-controller-manager/modules/networking.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,29 +95,35 @@ func SetupNetworkingModule(ctx context.Context, mgr manager.Manager, opts *Netwo
return err
}

wgServerRec := wggatewaycontrollers.NewWgGatewayServerReconciler(
mgr.GetClient(), mgr.GetScheme(), opts.WgGatewayServerClusterRoleName)
wgServerRec := wggatewaycontrollers.NewWgGatewayServerReconciler(mgr.GetClient(), mgr.GetScheme(),
mgr.GetEventRecorderFor("wg-gateway-server-controller"),
opts.WgGatewayServerClusterRoleName)
if err := wgServerRec.SetupWithManager(mgr); err != nil {
klog.Errorf("Unable to start the wgGatewayServerReconciler: %v", err)
return err
}

wgClientRec := wggatewaycontrollers.NewWgGatewayClientReconciler(mgr.GetClient(), mgr.GetScheme(),
mgr.GetEventRecorderFor("wg-gateway-client-controller"),
opts.WgGatewayClientClusterRoleName)
if err := wgClientRec.SetupWithManager(mgr); err != nil {
klog.Errorf("Unable to start the wgGatewayClientReconciler: %v", err)
return err
}

serverReconciler := serveroperator.NewServerReconciler(mgr.GetClient(),
opts.DynClient, opts.Factory, mgr.GetScheme(), opts.GatewayServerResources)
opts.DynClient, opts.Factory, mgr.GetScheme(),
mgr.GetEventRecorderFor("server-controller"),
opts.GatewayServerResources)
if err := serverReconciler.SetupWithManager(mgr); err != nil {
klog.Errorf("Unable to start the serverReconciler: %v", err)
return err
}

clientReconciler := clientoperator.NewClientReconciler(mgr.GetClient(),
opts.DynClient, opts.Factory, mgr.GetScheme(), opts.GatewayClientResources)
opts.DynClient, opts.Factory, mgr.GetScheme(),
mgr.GetEventRecorderFor("client-controller"),
opts.GatewayClientResources)
if err := clientReconciler.SetupWithManager(mgr); err != nil {
klog.Errorf("Unable to start the clientReconciler: %v", err)
return err
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,24 @@ spec:
mtu:
description: MTU specifies the MTU of the tunnel.
type: integer
secretRef:
description: |-
SecretRef specifies the reference to the secret containing the wireguard configuration.
Leave it empty to let the operator create a new secret.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
type: object
status:
description: GatewayClientStatus defines the observed state of GatewayClient.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,24 @@ spec:
mtu:
description: MTU specifies the MTU of the tunnel.
type: integer
secretRef:
description: |-
SecretRef specifies the reference to the secret containing the wireguard configuration.
Leave it empty to let the operator create a new secret.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
serverTemplateRef:
description: ServerTemplateRef specifies the reference to the server
template.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9575,6 +9575,24 @@ spec:
required:
- enabled
type: object
secretRef:
description: |-
SecretRef specifies the reference to the secret containing the wireguard configuration.
Leave it empty to let the operator create a new secret.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
required:
- deployment
type: object
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9575,6 +9575,24 @@ spec:
required:
- enabled
type: object
secretRef:
description: |-
SecretRef specifies the reference to the secret containing the wireguard configuration.
Leave it empty to let the operator create a new secret.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
service:
description: Service specifies the service template for the server.
properties:
Expand Down
10 changes: 0 additions & 10 deletions deployments/liqo/files/liqo-gateway-ClusterRole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,16 +20,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- networking.liqo.io
resources:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ spec:
metadata:
{{- include "liqo.metadataTemplate" $templateConfig | nindent 6 }}
spec:
secretRef:
name: "{{"{{ .Spec.SecretRef.Name }}"}}"
deployment:
metadata:
{{- include "liqo.metadataTemplate" $templateConfig | nindent 10 }}
Expand Down Expand Up @@ -106,6 +108,9 @@ spec:
{{ if .Values.networking.gatewayTemplates.wireguard.implementation | eq "userspace" }}
privileged: true
{{ end }}
volumeMounts:
- name: wireguard-config
mountPath: /etc/wireguard/keys
- name: geneve
image: {{ .Values.networking.gatewayTemplates.container.geneve.image.name }}{{ include "liqo.suffix" $geneveConfig }}:{{ include "liqo.version" $geneveConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down Expand Up @@ -138,4 +143,8 @@ spec:
- NET_RAW
# Uncomment to set a priorityClassName
# priorityClassName: ""
volumes:
- name: wireguard-config
secret:
secretName: "{{"{{ .SecretName }}"}}"
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ spec:
metadata:
{{- include "liqo.metadataTemplate" $templateConfig | nindent 6 }}
spec:
secretRef:
name: "{{"{{ .Spec.SecretRef.Name }}"}}"
service:
metadata:
{{- include "liqo.metadataTemplate" $templateConfig | nindent 10 }}
Expand Down Expand Up @@ -132,6 +134,9 @@ spec:
{{ if .Values.networking.gatewayTemplates.wireguard.implementation | eq "userspace" }}
privileged: true
{{ end }}
volumeMounts:
- name: wireguard-config
mountPath: /etc/wireguard/keys
- name: geneve
image: {{ .Values.networking.gatewayTemplates.container.geneve.image.name }}{{ include "liqo.suffix" $geneveConfig }}:{{ include "liqo.version" $geneveConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down Expand Up @@ -166,4 +171,8 @@ spec:
image: nginx
# Uncomment to set a priorityClassName
# priorityClassName: ""
volumes:
- name: wireguard-config
secret:
secretName: "{{"{{ .SecretName }}"}}"
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ spec:
metadata:
{{- include "liqo.metadataTemplate" $templateConfig | nindent 6 }}
spec:
secretRef:
name: "{{"{{ .Spec.SecretRef.Name }}"}}"
service:
metadata:
{{- include "liqo.metadataTemplate" $templateConfig | nindent 10 }}
Expand Down Expand Up @@ -123,6 +125,9 @@ spec:
{{ if .Values.networking.gatewayTemplates.wireguard.implementation | eq "userspace" }}
privileged: true
{{ end }}
volumeMounts:
- name: wireguard-config
mountPath: /etc/wireguard/keys
- name: geneve
image: {{ .Values.networking.gatewayTemplates.container.geneve.image.name }}{{ include "liqo.suffix" $geneveConfig }}:{{ include "liqo.version" $geneveConfig }}
imagePullPolicy: {{ .Values.pullPolicy }}
Expand Down Expand Up @@ -155,4 +160,8 @@ spec:
- NET_RAW
# Uncomment to set a priorityClassName
# priorityClassName: ""
volumes:
- name: wireguard-config
secret:
secretName: "{{"{{ .SecretName }}"}}"
{{- end }}
3 changes: 3 additions & 0 deletions pkg/gateway/tunnel/wireguard/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ const (
FlagNameEndpointAddress FlagName = "endpoint-address"
// FlagNameEndpointPort is the port of the endpoint for the wireguard interface.
FlagNameEndpointPort FlagName = "endpoint-port"
// FlagNameKeysDir is the directory where the keys are stored.
FlagNameKeysDir FlagName = "keys-dir"

// FlagNameDNSCheckInterval is the interval between two DNS checks.
FlagNameDNSCheckInterval FlagName = "dns-check-interval"
Expand All @@ -61,6 +63,7 @@ func InitFlags(flagset *pflag.FlagSet, opts *Options) {
flagset.IntVar(&opts.ListenPort, FlagNameListenPort.String(), forge.DefaultGwServerPort, "Listen port (server only)")
flagset.StringVar(&opts.EndpointAddress, FlagNameEndpointAddress.String(), "", "Endpoint address (client only)")
flagset.IntVar(&opts.EndpointPort, FlagNameEndpointPort.String(), forge.DefaultGwServerPort, "Endpoint port (client only)")
flagset.StringVar(&opts.KeysDir, FlagNameKeysDir.String(), forge.DefaultKeysDir, "Directory where the keys are stored")

flagset.DurationVar(&opts.DNSCheckInterval, FlagNameDNSCheckInterval.String(), 5*time.Minute, "Interval between two DNS checks")

Expand Down
10 changes: 5 additions & 5 deletions pkg/gateway/tunnel/wireguard/k8s.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,20 +54,20 @@ func CheckKeysSecret(ctx context.Context, cl client.Client, opts *Options) (wgty
}

// CreateKeysSecret creates the private and public keys for the Wireguard interface and save them inside a Secret resource.
func CreateKeysSecret(ctx context.Context, cl client.Client, opts *Options, pri, pub wgtypes.Key) error {
func CreateKeysSecret(ctx context.Context, cl client.Client, opts *gateway.Options, pri, pub wgtypes.Key) error {
secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: forge.GatewayResourceName(opts.GwOptions.Name),
Namespace: opts.GwOptions.Namespace,
Name: forge.GatewayResourceName(opts.Name),
Namespace: opts.Namespace,
},
}

if _, err := controllerutil.CreateOrUpdate(ctx, cl, secret, func() error {
secret.SetLabels(map[string]string{
string(consts.RemoteClusterID): opts.GwOptions.RemoteClusterID,
string(consts.RemoteClusterID): opts.RemoteClusterID,
string(consts.GatewayResourceLabel): string(consts.GatewayResourceLabelValue),
})
if err := gateway.SetOwnerReferenceWithMode(opts.GwOptions, secret, cl.Scheme()); err != nil {
if err := gateway.SetOwnerReferenceWithMode(opts, secret, cl.Scheme()); err != nil {
return err
}
secret.Data = map[string][]byte{
Expand Down
Loading

0 comments on commit a3e0804

Please sign in to comment.