Cilium wireguard support

docs/networking/cilium.md

@@ -136,6 +136,8 @@ Note that since Cilium Operator is the entity that interacts with the EC2 API to
 Also note that this feature has only been tested on the default kOps AMIs.
 
 #### Enabling Encryption in Cilium
+
+##### ipsec
 {{ kops_feature_table(kops_added_default='1.19', k8s_min='1.17') }}
 
 As of kOps 1.19, it is possible to enable encryption for Cilium agent.
@@ -153,6 +155,20 @@ Once the secret has been created, encryption can be enabled by setting `enableEn
       enableEncryption: true
 ```
 
+##### wireguard
+{{ kops_feature_table(kops_added_default='1.22', k8s_min='1.17') }}
+
+Cilium can make use of the [wireguard protocol for transparent encryption](https://docs.cilium.io/en/v1.10/gettingstarted/encryption-wireguard/). Take care to familiarise yourself with the [limitations](https://docs.cilium.io/en/v1.10/gettingstarted/encryption-wireguard/#limitations).
+
+```yaml
+  networking:
+    cilium:
+      enableEncryption: true
+      enableL7Proxy: false
+      encryptionType: wireguard
+```
+
+
 #### Resources in Cilium
 {{ kops_feature_table(kops_added_default='1.21', k8s_min='1.20') }}
 

docs/releases/1.22-NOTES.md

@@ -116,6 +116,8 @@ Currently this is only available using the AWS cloud provider.
   The previous behavior of using self-signed certs may be restored by setting `kubeControllerManager.tlsCertFile` and/or
   `kubeScheduler.tlsCertFile` to `""` in the cluster spec.
 
+* Cilium now supports the wireguard protocol for transparent encryption.
+
 # Full change list since 1.21.0 release
 
 ## 1.22.0-alpha.1 to 1.22.0-alpha.2

k8s/crds/kops.k8s.io_clusters.yaml

@@ -3653,6 +3653,10 @@ spec:
                         description: EnableIpv6 is not implemented and may be removed
                           in the future. Setting this has no effect.
                         type: boolean
+                      encryptionType:
+                        description: 'EncryptionType specifies Cilium Encryption method
+                          ("ipsec", "wireguard"). Default: ipsec'
+                        type: string
                       envoyLog:
                         description: EnvoyLog is not implemented and may be removed
                           in the future. Setting this has no effect.

pkg/apis/kops/networking.go

@@ -266,6 +266,11 @@ type AmazonVPCNetworkingSpec struct {
 
 const CiliumIpamEni = "eni"
 
+type CiliumEncryptionType string
+
+const CiliumEncryptionTypeIPSec CiliumEncryptionType = "ipsec"
+const CiliumEncryptionTypeWireguard CiliumEncryptionType = "wireguard"
+
 // CiliumNetworkingSpec declares that we want Cilium networking
 type CiliumNetworkingSpec struct {
 	// Version is the version of the Cilium agent and the Cilium Operator.
@@ -343,6 +348,9 @@ type CiliumNetworkingSpec struct {
 	// EnableEncryption enables Cilium Encryption.
 	// Default: false
 	EnableEncryption bool `json:"enableEncryption,omitempty"`
+	// EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
+	// Default: ipsec
+	EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"`
 	// EnvoyLog is not implemented and may be removed in the future.
 	// Setting this has no effect.
 	EnvoyLog string `json:"envoyLog,omitempty"`

pkg/apis/kops/v1alpha2/networking.go

@@ -266,6 +266,11 @@ type AmazonVPCNetworkingSpec struct {
 
 const CiliumIpamEni = "eni"
 
+type CiliumEncryptionType string
+
+const CiliumEncryptionTypeIPSec CiliumEncryptionType = "ipsec"
+const CiliumEncryptionTypeWireguard CiliumEncryptionType = "wireguard"
+
 // CiliumNetworkingSpec declares that we want Cilium networking
 type CiliumNetworkingSpec struct {
 	// Version is the version of the Cilium agent and the Cilium Operator.
@@ -343,6 +348,9 @@ type CiliumNetworkingSpec struct {
 	// EnableEncryption enables Cilium Encryption.
 	// Default: false
 	EnableEncryption bool `json:"enableEncryption,omitempty"`
+	// EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
+	// Default: ipsec
+	EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"`
 	// EnvoyLog is not implemented and may be removed in the future.
 	// Setting this has no effect.
 	EnvoyLog string `json:"envoyLog,omitempty"`

pkg/apis/kops/validation/validation.go

@@ -845,6 +845,10 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 				allErrs = append(allErrs, field.Forbidden(fldPath.Child("hubble", "enabled"), "Hubble requires that cert manager is enabled"))
 			}
 		}
+
+		if version.Minor < 10 && v.EncryptionType == kops.CiliumEncryptionTypeWireguard {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("encryptionType"), "Cilium EncryptionType=WireGuard is not available for Cilium version < 1.10.0."))
+		}
 	}
 
 	if v.EnableNodePort && c.KubeProxy != nil && (c.KubeProxy.Enabled == nil || *c.KubeProxy.Enabled) {
@@ -879,8 +883,22 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 		allErrs = append(allErrs, IsValidValue(fldPath.Child("bpfLBAlgorithm"), &v.BPFLBAlgorithm, []string{"random", "maglev"})...)
 	}
 
+	if v.EncryptionType != "" {
+		encryptionType := string(v.EncryptionType)
+		allErrs = append(allErrs, IsValidValue(fldPath.Child("encryptionType"), &encryptionType, []string{"ipsec", "wireguard"})...)
+
+		if v.EncryptionType == "wireguard" {
+			// Cilium with Wireguard integration follow-up --> https://github.com/cilium/cilium/issues/15462.
+			// The following rule of validation should be deleted as this combination
+			// will be supported on future releases of Cilium (>= v1.11.0).
+			if fi.BoolValue(v.EnableL7Proxy) {
+				allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "L7 proxy cannot be enabled if wireguard is enabled."))
+			}
+		}
+	}
+
 	if fi.BoolValue(v.EnableL7Proxy) && v.IPTablesRulesNoinstall {
-		allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires IPTablesRules to be installed"))
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires IPTablesRules to be installed."))
 	}
 
 	if v.Ipam != "" {

pkg/model/components/cilium.go

@@ -149,6 +149,10 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 		c.MemoryRequest = &defaultMemoryRequest
 	}
 
+	if c.EnableEncryption && c.EncryptionType == "" {
+		c.EncryptionType = kops.CiliumEncryptionTypeIPSec
+	}
+
 	hubble := c.Hubble
 	if hubble != nil {
 		if hubble.Enabled == nil {

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template

@@ -83,10 +83,16 @@ data:
   operator-prometheus-serve-addr: ":6942"
   enable-metrics: "true"
   {{ end }}
+
   {{ if .EnableEncryption }}
+  {{ if eq .EncryptionType "ipsec" }}
   enable-ipsec: "true"
   ipsec-key-file: /etc/ipsec/keys
+  {{ else if eq .EncryptionType "wireguard"  }}
+  enable-wireguard: "true"
+  {{ end }}
   {{ end }}
+
   # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
   # address.
   enable-ipv4: "{{ not IsIPv6Only }}"

upup/pkg/fi/cloudup/apply_cluster.go

@@ -360,7 +360,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
 	}
 
 	ciliumSpec := c.Cluster.Spec.Networking.Cilium
-	if ciliumSpec != nil && ciliumSpec.EnableEncryption {
+	if ciliumSpec != nil && ciliumSpec.EnableEncryption && ciliumSpec.EncryptionType == kops.CiliumEncryptionTypeIPSec {
 		secret, err := secretStore.FindSecret("ciliumpassword")
 		if err != nil {
 			return fmt.Errorf("could not load the ciliumpassword secret: %w", err)