Calico wireguard (#7638)

* Calico: add Wireguard support * CI: Add Calico Wireguard scenario
3 years ago · a2cf6816ce
16 changed files with 138 additions and 0 deletions
--- a/.gitlab-ci/packet.yml
+++ b/.gitlab-ci/packet.yml
@ -201,6 +201,14 @@ packet_centos7-weave-upgrade-ha:
    UPGRADE_TEST: basic
    MITOGEN_ENABLE: "false"

+# Calico HA Wireguard
+packet_ubuntu20-calico-ha-wireguard:
+  stage: deploy-part2
+  extends: .packet_pr
+  when: manual
+  variables:
+    MITOGEN_ENABLE: "true"
+
 packet_debian9-calico-upgrade:
  stage: deploy-part3
  extends: .packet_pr
--- a/docs/calico.md
+++ b/docs/calico.md
@ -330,3 +330,23 @@ tc exec bpf debug
 ```

 Please see [Calico eBPF troubleshooting guide](https://docs.projectcalico.org/maintenance/troubleshoot/troubleshoot-ebpf#ebpf-program-debug-logs).
+
+## Wireguard Encryption
+
+Calico supports using Wireguard for encryption. Please see the docs on [encryptiong cluster pod traffic](https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic).
+
+To enable wireguard support:
+
+```yaml
+calico_wireguard_enabled: true
+```
+
+The following OSes will require enabling the EPEL repo in order to bring in wireguard tools:
+
+* CentOS 7 & 8
+* AlmaLinux 8
+* Amazon Linux 2
+
+```yaml
+epel_enabled: true
+```
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml
@ -100,3 +100,6 @@
 # If you want use the default route interface when you use multiple interface with dynamique route (iproute2)
 # see https://docs.projectcalico.org/reference/node/configuration : FELIX_DEVICEROUTESOURCEADDRESS
 # calico_use_default_route_src_ipaddr: false
+
+# Enable calico traffic encryption with wireguard
+# calico_wireguard_enabled: false
--- a/roles/bootstrap-os/tasks/bootstrap-amazon.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-amazon.yml
@ -0,0 +1,13 @@
+---
+- name: Enable EPEL repo for Amazon Linux
+  yum_repository:
+    name: epel
+    file: epel
+    description: Extra Packages for Enterprise Linux 7 - $basearch
+    baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
+    gpgcheck: yes
+    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
+    skip_if_unavailable: yes
+    enabled: yes
+    repo_gpgcheck: no
+  when: epel_enabled
--- a/roles/bootstrap-os/tasks/main.yml
+++ b/roles/bootstrap-os/tasks/main.yml
@ -9,6 +9,9 @@
 - include_tasks: bootstrap-centos.yml
  when: '''ID="centos"'' in os_release.stdout_lines or ''ID="ol"'' in os_release.stdout_lines or ''ID="almalinux"'' in os_release.stdout_lines'

+- include_tasks: bootstrap-amazon.yml
+  when: '''ID="amzn"'' in os_release.stdout_lines'
+
 - include_tasks: bootstrap-redhat.yml
  when: '''ID="rhel"'' in os_release.stdout_lines'

--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@ -80,6 +80,11 @@ calico_iptables_lock_timeout_secs: 10
 # Choose Calico iptables backend: "Legacy", "Auto" or "NFT" (FELIX_IPTABLESBACKEND)
 calico_iptables_backend: "Legacy"

+# Calico Wireguard support
+calico_wireguard_enabled: false
+calico_wireguard_packages: []
+calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-{{ ansible_distribution_major_version }}-$basearch/
+
 # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of:
 # * can-reach=DESTINATION
 # * interface=INTERFACE-REGEX
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@ -1,4 +1,14 @@
 ---
+- name: Calico | Install Wireguard packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ calico_wireguard_packages }}"
+  register: calico_package_install
+  until: calico_package_install is succeeded
+  retries: 4
+  when: calico_wireguard_enabled
+
 - name: Calico | Copy calicoctl binary from download dir
  copy:
    src: "{{ local_release_dir }}/calicoctl"
@ -148,6 +158,7 @@
          "bpfLogLevel": "{{ calico_bpf_log_level }}",
          "bpfEnabled": {{ calico_bpf_enabled | bool }},
          "bpfExternalServiceMode": "{{ calico_bpf_service_mode }}",
+          "wireguardEnabled": {{ calico_wireguard_enabled | bool }},
          "logSeverityScreen": "{{ calico_felix_log_severity_screen }}" }}
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@ -3,4 +3,6 @@

 - import_tasks: pre.yml

+- import_tasks: repos.yml
+
 - include_tasks: install.yml
--- a/roles/network_plugin/calico/tasks/pre.yml
+++ b/roles/network_plugin/calico/tasks/pre.yml
@ -25,3 +25,20 @@
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when:
  - "cloud_provider is defined"
+
+- name: Calico | Gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+  - files:
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+    - "{{ ansible_distribution|lower }}.yml"
+    - "{{ ansible_os_family|lower }}-{{ ansible_architecture }}.yml"
+    - "{{ ansible_os_family|lower }}.yml"
+    - defaults.yml
+    paths:
+    - ../vars
+    skip: true
+  tags:
+  - facts
--- a/roles/network_plugin/calico/tasks/repos.yml
+++ b/roles/network_plugin/calico/tasks/repos.yml
@ -0,0 +1,20 @@
+---
+- name: Calico | Add wireguard yum repo
+  when:
+    - calico_wireguard_enabled
+  block:
+
+    - name: Calico | Add wireguard yum repo
+      yum_repository:
+        name: copr:copr.fedorainfracloud.org:jdoss:wireguard
+        file: _copr:copr.fedorainfracloud.org:jdoss:wireguard
+        description: Copr repo for wireguard owned by jdoss
+        baseurl: "{{ calico_wireguard_repo }}"
+        gpgcheck: yes
+        gpgkey: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/pubkey.gpg
+        skip_if_unavailable: yes
+        enabled: yes
+        repo_gpgcheck: no
+      when:
+        - ansible_os_family in ['RedHat']
+        - ansible_distribution not in ['Fedora']
--- a/roles/network_plugin/calico/vars/amazon.yml
+++ b/roles/network_plugin/calico/vars/amazon.yml
@ -0,0 +1,5 @@
+---
+calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-7-$basearch/
+calico_wireguard_packages:
+  - wireguard-dkms
+  - wireguard-tools
--- a/roles/network_plugin/calico/vars/debian.yml
+++ b/roles/network_plugin/calico/vars/debian.yml
@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard
--- a/roles/network_plugin/calico/vars/fedora.yml
+++ b/roles/network_plugin/calico/vars/fedora.yml
@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard-tools
--- a/roles/network_plugin/calico/vars/opensuse.yml
+++ b/roles/network_plugin/calico/vars/opensuse.yml
@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard-tools
--- a/roles/network_plugin/calico/vars/redhat.yml
+++ b/roles/network_plugin/calico/vars/redhat.yml
@ -0,0 +1,4 @@
+---
+calico_wireguard_packages:
+  - wireguard-dkms
+  - wireguard-tools
--- a/tests/files/packet_ubuntu20-calico-ha-wireguard.yml
+++ b/tests/files/packet_ubuntu20-calico-ha-wireguard.yml
@ -0,0 +1,18 @@
+---
+# Instance settings
+cloud_image: ubuntu-2004
+mode: ha
+vm_memory: 1600Mi
+
+# Kubespray settings
+kube_network_plugin: calico
+deploy_netchecker: true
+
+calico_wireguard_enabled: true
+
+# Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
+kube_proxy_mode: iptables
+# KVM kernel used by packet instances is missing the dummy.ko kernel module so it cannot enable nodelocaldns
+enable_nodelocaldns: false
+
+auto_renew_certificates: true