Add support for cilium ipsec (#7342)

* Add support for cilium ipsec

* Fix typo for bpffs
This commit is contained in:
Qasim Sarfraz 2021-03-23 21:46:06 +01:00 committed by GitHub
parent 4f89bfac48
commit d53fd29e34
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 88 additions and 45 deletions

View file

@ -51,3 +51,6 @@ cilium_deploy_additionally: false
# information about this kind of setups. # information about this kind of setups.
cilium_auto_direct_node_routes: false cilium_auto_direct_node_routes: false
cilium_native_routing_cidr: "" cilium_native_routing_cidr: ""
# IPsec based transparent encryption between nodes
cilium_ipsec_enabled: false

View file

@ -0,0 +1,9 @@
---
- name: Cilium | Check cilium_ipsec_enabled variables
assert:
that:
- "cilium_ipsec_key is defined"
msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled"
when:
- cilium_ipsec_enabled
- cilium_tunnel_mode in ['vxlan']

View file

@ -0,0 +1,48 @@
---
- name: Cilium | Ensure BPFFS mounted
mount:
fstype: bpf
path: /sys/fs/bpf
src: bpffs
state: mounted
- name: Cilium | Create Cilium certs directory
file:
dest: "{{ cilium_cert_dir }}"
state: directory
mode: 0750
owner: root
group: root
- name: Cilium | Link etcd certificates for cilium
file:
src: "{{ etcd_cert_dir }}/{{ item.s }}"
dest: "{{ cilium_cert_dir }}/{{ item.d }}"
state: hard
force: yes
with_items:
- {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
- name: Cilium | Create Cilium node manifests
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
with_items:
- {name: cilium, file: cilium-config.yml, type: cm}
- {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
- {name: cilium, file: cilium-cr.yml, type: clusterrole}
- {name: cilium, file: cilium-secret.yml, type: secret, when: cilium_ipsec_enabled}
- {name: cilium, file: cilium-ds.yml, type: ds}
- {name: cilium, file: cilium-deploy.yml, type: deploy}
- {name: cilium, file: cilium-sa.yml, type: sa}
register: cilium_node_manifests
when:
- inventory_hostname in groups['kube-master']
- name: Cilium | Enable portmap addon
template:
src: 000-cilium-portmap.conflist.j2
dest: /etc/cni/net.d/000-cilium-portmap.conflist
when: cilium_enable_portmap

View file

@ -1,47 +1,4 @@
--- ---
- name: Cilium | Ensure BFPFS mounted - import_tasks: check.yml
mount:
fstype: bpf
path: /sys/fs/bpf
src: bpffs
state: mounted
- name: Cilium | Create Cilium certs directory - include_tasks: install.yml
file:
dest: "{{ cilium_cert_dir }}"
state: directory
mode: 0750
owner: root
group: root
- name: Cilium | Link etcd certificates for cilium
file:
src: "{{ etcd_cert_dir }}/{{ item.s }}"
dest: "{{ cilium_cert_dir }}/{{ item.d }}"
state: hard
force: yes
with_items:
- {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
- name: Cilium | Create Cilium node manifests
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
with_items:
- {name: cilium, file: cilium-config.yml, type: cm}
- {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
- {name: cilium, file: cilium-cr.yml, type: clusterrole}
- {name: cilium, file: cilium-ds.yml, type: ds}
- {name: cilium, file: cilium-deploy.yml, type: deploy}
- {name: cilium, file: cilium-sa.yml, type: sa}
register: cilium_node_manifests
when:
- inventory_hostname in groups['kube-master']
- name: Cilium | Enable portmap addon
template:
src: 000-cilium-portmap.conflist.j2
dest: /etc/cni/net.d/000-cilium-portmap.conflist
when: cilium_enable_portmap

View file

@ -154,4 +154,11 @@ data:
{% if cilium_enable_hubble_metrics %} {% if cilium_enable_hubble_metrics %}
hubble-metrics-server: ":9091" hubble-metrics-server: ":9091"
{% endif %} {% endif %}
{% endif %}
# IPsec based transparent encryption between nodes
{% if cilium_ipsec_enabled %}
enable-ipsec: "true"
ipsec-key-file: /etc/ipsec/keys
encrypt-node: "false"
{% endif %} {% endif %}

View file

@ -166,6 +166,11 @@ spec:
readOnly: true readOnly: true
- mountPath: /run/xtables.lock - mountPath: /run/xtables.lock
name: xtables-lock name: xtables-lock
{% if cilium_ipsec_enabled %}
- mountPath: /etc/ipsec
name: cilium-ipsec-secrets
readOnly: true
{% endif %}
dnsPolicy: ClusterFirstWithHostNet dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true hostNetwork: true
hostPID: false hostPID: false
@ -280,6 +285,11 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
{% if cilium_ipsec_enabled %}
- name: cilium-ipsec-secrets
secret:
secretName: cilium-ipsec-keys
{% endif %}
updateStrategy: updateStrategy:
rollingUpdate: rollingUpdate:
# Specifies the maximum number of Pods that can be unavailable during the update process. # Specifies the maximum number of Pods that can be unavailable during the update process.

View file

@ -0,0 +1,9 @@
---
apiVersion: v1
data:
keys: {{ cilium_ipsec_key }}
kind: Secret
metadata:
name: cilium-ipsec-keys
namespace: kube-system
type: Opaque