Merge pull request #10037 from h3poteto/iss-9753

Add WireGuard support for Calico CNI
kubernetes · Oct 11, 2020 · 6f85cd9 · 6f85cd9
2 parents 5266619 + b852420
commit 6f85cd9
Show file tree

Hide file tree

Showing 9 changed files with 37 additions and 2 deletions.
diff --git a/docs/networking/calico.md b/docs/networking/calico.md
@@ -56,7 +56,7 @@ To enable this mode in a cluster, add the following to the cluster spec:
       crossSubnet: true
 ```
 In the case of AWS, EC2 instances have source/destination checks enabled by default.
-When you enable cross-subnet mode in kops 1.19+, it is equivalent to: 
+When you enable cross-subnet mode in kops 1.19+, it is equivalent to:
 ```yaml
   networking:
     calico:
@@ -93,6 +93,19 @@ It is possible to configure Calico to use Typha by editing a cluster and adding
       typhaReplicas: 3
 ```
 
+### Configuring WireGuard
+{{ kops_feature_table(kops_added_default='1.19', k8s_min='1.16') }}
+
+Calico supports WireGuard to encrypt pod-to-pod traffic. If you enable this options, WireGuard encryption is automatically enabled for all nodes. At the moment, kops installs WireGuard automatically only when the host OS is *Ubuntu*. For other OSes, WireGuard has to be part of the base image or installed via a hook.
+
+For more details of Calico WireGuard please refer the [Calico Docs](https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic).
+
+```yaml
+  networking:
+    calico:
+      wireguardEnabled: true
+```
+
 ## Getting help
 
 For help with Calico or to report any issues:

diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -2197,6 +2197,9 @@ spec:
                         description: TyphaReplicas is the number of replicas of Typha to deploy
                         format: int32
                         type: integer
+                      wireguardEnabled:
+                        description: 'WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic (default: false)'
+                        type: boolean
                     type: object
                   canal:
                     description: CanalNetworkingSpec declares that we want Canal networking

diff --git a/nodeup/pkg/model/networking/calico.go b/nodeup/pkg/model/networking/calico.go
@@ -21,6 +21,7 @@ import (
 
 	"k8s.io/kops/nodeup/pkg/model"
 	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 )
 
 // CalicoBuilder configures the etcd TLS support for Calico
@@ -38,6 +39,10 @@ func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error {
 		return nil
 	}
 
+	if b.Distribution.IsUbuntu() {
+		c.AddTask(&nodetasks.Package{Name: "wireguard"})
+	}
+
 	// @check if tls is enabled and if so, we need to download the client certificates
 	if b.IsKubernetesLT("1.12") && !b.UseEtcdManager() && b.UseEtcdTLS() {
 		name := "calico-client"

diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
@@ -152,6 +152,9 @@ type CalicoNetworkingSpec struct {
 	TyphaPrometheusMetricsPort int32 `json:"typhaPrometheusMetricsPort,omitempty"`
 	// TyphaReplicas is the number of replicas of Typha to deploy
 	TyphaReplicas int32 `json:"typhaReplicas,omitempty"`
+	// WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic
+	// (default: false)
+	WireguardEnabled bool `json:"wireguardEnabled,omitempty"`
 }
 
 // CanalNetworkingSpec declares that we want Canal networking

diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
@@ -152,6 +152,9 @@ type CalicoNetworkingSpec struct {
 	TyphaPrometheusMetricsPort int32 `json:"typhaPrometheusMetricsPort,omitempty"`
 	// TyphaReplicas is the number of replicas of Typha to deploy
 	TyphaReplicas int32 `json:"typhaReplicas,omitempty"`
+	// WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic
+	// (default: false)
+	WireguardEnabled bool `json:"wireguardEnabled,omitempty"`
 }
 
 // CanalNetworkingSpec declares that we want Canal networking

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
diff --git a/upup/models/bindata.go b/upup/models/bindata.go
diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template
@@ -3937,6 +3937,9 @@ spec:
             # Enable / Disable source/destination checks in AWS
             - name: FELIX_AWSSRCDSTCHECK
               value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AwsSrcDstCheck "DoNothing" -}} {{- end -}}"
+            # Enable WireGuard encryption for all on-the-wire pod-to-pod traffic
+            - name: FELIX_WIREGUARDENABLED
+              value: "{{ .Networking.Calico.WireguardEnabled }}"
           securityContext:
             privileged: true
           resources:

diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@@ -858,7 +858,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann
 			"k8s-1.7":    "2.6.12-kops.1",
 			"k8s-1.7-v3": "3.8.0-kops.2",
 			"k8s-1.12":   "3.9.6-kops.1",
-			"k8s-1.16":   "3.16.3-kops.1",
+			"k8s-1.16":   "3.16.3-kops.2",
 		}
 
 		{