Calico wireguard (#7638)

* Calico: add Wireguard support * CI: Add Calico Wireguard scenario
2021-06-25 13:22:45 +03:00 · 2021-06-25 13:22:45 +03:00 · a2cf6816ce
commit a2cf6816ce
parent 7b3bc54cc3
16 changed files with 138 additions and 0 deletions
--- a/.gitlab-ci/packet.yml
+++ b/.gitlab-ci/packet.yml
@ -201,6 +201,14 @@ packet_centos7-weave-upgrade-ha:
    UPGRADE_TEST: basic
    MITOGEN_ENABLE: "false"
 # Calico HA Wireguard
 packet_ubuntu20-calico-ha-wireguard:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
  variables:
    MITOGEN_ENABLE: "true"
 packet_debian9-calico-upgrade:
  stage: deploy-part3
  extends: .packet_pr
--- a/docs/calico.md
+++ b/docs/calico.md
@ -330,3 +330,23 @@ tc exec bpf debug
 ```
 Please see [Calico eBPF troubleshooting guide](https://docs.projectcalico.org/maintenance/troubleshoot/troubleshoot-ebpf#ebpf-program-debug-logs).
 ## Wireguard Encryption
 Calico supports using Wireguard for encryption. Please see the docs on [encryptiong cluster pod traffic](https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic).
 To enable wireguard support:
 ```yaml
 calico_wireguard_enabled: true
 ```
 The following OSes will require enabling the EPEL repo in order to bring in wireguard tools:
 * CentOS 7 & 8
 * AlmaLinux 8
 * Amazon Linux 2
 ```yaml
 epel_enabled: true
 ```
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml
@ -100,3 +100,6 @@
 # If you want use the default route interface when you use multiple interface with dynamique route (iproute2)
 # see https://docs.projectcalico.org/reference/node/configuration : FELIX_DEVICEROUTESOURCEADDRESS
 # calico_use_default_route_src_ipaddr: false
 # Enable calico traffic encryption with wireguard
 # calico_wireguard_enabled: false
--- a/roles/bootstrap-os/tasks/bootstrap-amazon.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-amazon.yml
@ -0,0 +1,13 @@
 ---
 - name: Enable EPEL repo for Amazon Linux
  yum_repository:
    name: epel
    file: epel
    description: Extra Packages for Enterprise Linux 7 - $basearch
    baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
    gpgcheck: yes
    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
    skip_if_unavailable: yes
    enabled: yes
    repo_gpgcheck: no
  when: epel_enabled
--- a/roles/bootstrap-os/tasks/main.yml
+++ b/roles/bootstrap-os/tasks/main.yml
@ -9,6 +9,9 @@
 - include_tasks: bootstrap-centos.yml
  when: '''ID="centos"'' in os_release.stdout_lines or ''ID="ol"'' in os_release.stdout_lines or ''ID="almalinux"'' in os_release.stdout_lines'
 - include_tasks: bootstrap-amazon.yml
  when: '''ID="amzn"'' in os_release.stdout_lines'
 - include_tasks: bootstrap-redhat.yml
  when: '''ID="rhel"'' in os_release.stdout_lines'
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@ -80,6 +80,11 @@ calico_iptables_lock_timeout_secs: 10
 # Choose Calico iptables backend: "Legacy", "Auto" or "NFT" (FELIX_IPTABLESBACKEND)
 calico_iptables_backend: "Legacy"
 # Calico Wireguard support
 calico_wireguard_enabled: false
 calico_wireguard_packages: []
 calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-{{ ansible_distribution_major_version }}-$basearch/
 # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of:
 # * can-reach=DESTINATION
 # * interface=INTERFACE-REGEX
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@ -1,4 +1,14 @@
 ---
 - name: Calico | Install Wireguard packages
  package:
    name: "{{ item }}"
    state: present
  with_items: "{{ calico_wireguard_packages }}"
  register: calico_package_install
  until: calico_package_install is succeeded
  retries: 4
  when: calico_wireguard_enabled
 - name: Calico | Copy calicoctl binary from download dir
  copy:
    src: "{{ local_release_dir }}/calicoctl"
@ -148,6 +158,7 @@
          "bpfLogLevel": "{{ calico_bpf_log_level }}",
          "bpfEnabled": {{ calico_bpf_enabled | bool }},
          "bpfExternalServiceMode": "{{ calico_bpf_service_mode }}",
          "wireguardEnabled": {{ calico_wireguard_enabled | bool }},
          "logSeverityScreen": "{{ calico_felix_log_severity_screen }}" }}
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@ -3,4 +3,6 @@
 - import_tasks: pre.yml
 - import_tasks: repos.yml
 - include_tasks: install.yml
--- a/roles/network_plugin/calico/tasks/pre.yml
+++ b/roles/network_plugin/calico/tasks/pre.yml
@ -25,3 +25,20 @@
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when:
  - "cloud_provider is defined"
 - name: Calico | Gather os specific variables
  include_vars: "{{ item }}"
  with_first_found:
  - files:
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
    - "{{ ansible_distribution|lower }}.yml"
    - "{{ ansible_os_family|lower }}-{{ ansible_architecture }}.yml"
    - "{{ ansible_os_family|lower }}.yml"
    - defaults.yml
    paths:
    - ../vars
    skip: true
  tags:
  - facts
--- a/roles/network_plugin/calico/tasks/repos.yml
+++ b/roles/network_plugin/calico/tasks/repos.yml
@ -0,0 +1,20 @@
 ---
 - name: Calico | Add wireguard yum repo
  when:
    - calico_wireguard_enabled
  block:
    - name: Calico | Add wireguard yum repo
      yum_repository:
        name: copr:copr.fedorainfracloud.org:jdoss:wireguard
        file: _copr:copr.fedorainfracloud.org:jdoss:wireguard
        description: Copr repo for wireguard owned by jdoss
        baseurl: "{{ calico_wireguard_repo }}"
        gpgcheck: yes
        gpgkey: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/pubkey.gpg
        skip_if_unavailable: yes
        enabled: yes
        repo_gpgcheck: no
      when:
        - ansible_os_family in ['RedHat']
        - ansible_distribution not in ['Fedora']
--- a/roles/network_plugin/calico/vars/amazon.yml
+++ b/roles/network_plugin/calico/vars/amazon.yml
@ -0,0 +1,5 @@
 ---
 calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-7-$basearch/
 calico_wireguard_packages:
  - wireguard-dkms
  - wireguard-tools
--- a/roles/network_plugin/calico/vars/debian.yml
+++ b/roles/network_plugin/calico/vars/debian.yml
@ -0,0 +1,3 @@
 ---
 calico_wireguard_packages:
  - wireguard
--- a/roles/network_plugin/calico/vars/fedora.yml
+++ b/roles/network_plugin/calico/vars/fedora.yml
@ -0,0 +1,3 @@
 ---
 calico_wireguard_packages:
  - wireguard-tools
--- a/roles/network_plugin/calico/vars/opensuse.yml
+++ b/roles/network_plugin/calico/vars/opensuse.yml
@ -0,0 +1,3 @@
 ---
 calico_wireguard_packages:
  - wireguard-tools
--- a/roles/network_plugin/calico/vars/redhat.yml
+++ b/roles/network_plugin/calico/vars/redhat.yml
@ -0,0 +1,4 @@
 ---
 calico_wireguard_packages:
  - wireguard-dkms
  - wireguard-tools
--- a/tests/files/packet_ubuntu20-calico-ha-wireguard.yml
+++ b/tests/files/packet_ubuntu20-calico-ha-wireguard.yml
@ -0,0 +1,18 @@
 ---
 # Instance settings
 cloud_image: ubuntu-2004
 mode: ha
 vm_memory: 1600Mi
 # Kubespray settings
 kube_network_plugin: calico
 deploy_netchecker: true
 calico_wireguard_enabled: true
 # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
 kube_proxy_mode: iptables
 # KVM kernel used by packet instances is missing the dummy.ko kernel module so it cannot enable nodelocaldns
 enable_nodelocaldns: false
 auto_renew_certificates: true