diff --git a/.gitlab-ci/packet.yml b/.gitlab-ci/packet.yml index b149b927e..5d9387618 100644 --- a/.gitlab-ci/packet.yml +++ b/.gitlab-ci/packet.yml @@ -201,6 +201,14 @@ packet_centos7-weave-upgrade-ha: UPGRADE_TEST: basic MITOGEN_ENABLE: "false" +# Calico HA Wireguard +packet_ubuntu20-calico-ha-wireguard: + stage: deploy-part2 + extends: .packet_pr + when: manual + variables: + MITOGEN_ENABLE: "true" + packet_debian9-calico-upgrade: stage: deploy-part3 extends: .packet_pr diff --git a/docs/calico.md b/docs/calico.md index 13c1856c7..3858ad6ea 100644 --- a/docs/calico.md +++ b/docs/calico.md @@ -330,3 +330,23 @@ tc exec bpf debug ``` Please see [Calico eBPF troubleshooting guide](https://docs.projectcalico.org/maintenance/troubleshoot/troubleshoot-ebpf#ebpf-program-debug-logs). + +## Wireguard Encryption + +Calico supports using Wireguard for encryption. Please see the docs on [encryptiong cluster pod traffic](https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic). + +To enable wireguard support: + +```yaml +calico_wireguard_enabled: true +``` + +The following OSes will require enabling the EPEL repo in order to bring in wireguard tools: + +* CentOS 7 & 8 +* AlmaLinux 8 +* Amazon Linux 2 + +```yaml +epel_enabled: true +``` diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml index 84f24b414..86a11bf1a 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-calico.yml @@ -100,3 +100,6 @@ # If you want use the default route interface when you use multiple interface with dynamique route (iproute2) # see https://docs.projectcalico.org/reference/node/configuration : FELIX_DEVICEROUTESOURCEADDRESS # calico_use_default_route_src_ipaddr: false + +# Enable calico traffic encryption with wireguard +# calico_wireguard_enabled: false diff --git a/roles/bootstrap-os/tasks/bootstrap-amazon.yml b/roles/bootstrap-os/tasks/bootstrap-amazon.yml new file mode 100644 index 000000000..2b4d665d3 --- /dev/null +++ b/roles/bootstrap-os/tasks/bootstrap-amazon.yml @@ -0,0 +1,13 @@ +--- +- name: Enable EPEL repo for Amazon Linux + yum_repository: + name: epel + file: epel + description: Extra Packages for Enterprise Linux 7 - $basearch + baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch + gpgcheck: yes + gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 + skip_if_unavailable: yes + enabled: yes + repo_gpgcheck: no + when: epel_enabled diff --git a/roles/bootstrap-os/tasks/main.yml b/roles/bootstrap-os/tasks/main.yml index 5016b96c8..0403e166f 100644 --- a/roles/bootstrap-os/tasks/main.yml +++ b/roles/bootstrap-os/tasks/main.yml @@ -9,6 +9,9 @@ - include_tasks: bootstrap-centos.yml when: '''ID="centos"'' in os_release.stdout_lines or ''ID="ol"'' in os_release.stdout_lines or ''ID="almalinux"'' in os_release.stdout_lines' +- include_tasks: bootstrap-amazon.yml + when: '''ID="amzn"'' in os_release.stdout_lines' + - include_tasks: bootstrap-redhat.yml when: '''ID="rhel"'' in os_release.stdout_lines' diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml index c95833f1b..ac1229c02 100644 --- a/roles/network_plugin/calico/defaults/main.yml +++ b/roles/network_plugin/calico/defaults/main.yml @@ -80,6 +80,11 @@ calico_iptables_lock_timeout_secs: 10 # Choose Calico iptables backend: "Legacy", "Auto" or "NFT" (FELIX_IPTABLESBACKEND) calico_iptables_backend: "Legacy" +# Calico Wireguard support +calico_wireguard_enabled: false +calico_wireguard_packages: [] +calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-{{ ansible_distribution_major_version }}-$basearch/ + # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of: # * can-reach=DESTINATION # * interface=INTERFACE-REGEX diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml index 4c196acc5..41ae4134b 100644 --- a/roles/network_plugin/calico/tasks/install.yml +++ b/roles/network_plugin/calico/tasks/install.yml @@ -1,4 +1,14 @@ --- +- name: Calico | Install Wireguard packages + package: + name: "{{ item }}" + state: present + with_items: "{{ calico_wireguard_packages }}" + register: calico_package_install + until: calico_package_install is succeeded + retries: 4 + when: calico_wireguard_enabled + - name: Calico | Copy calicoctl binary from download dir copy: src: "{{ local_release_dir }}/calicoctl" @@ -148,6 +158,7 @@ "bpfLogLevel": "{{ calico_bpf_log_level }}", "bpfEnabled": {{ calico_bpf_enabled | bool }}, "bpfExternalServiceMode": "{{ calico_bpf_service_mode }}", + "wireguardEnabled": {{ calico_wireguard_enabled | bool }}, "logSeverityScreen": "{{ calico_felix_log_severity_screen }}" }} when: - inventory_hostname == groups['kube_control_plane'][0] diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml index 94c57e9ec..df5812036 100644 --- a/roles/network_plugin/calico/tasks/main.yml +++ b/roles/network_plugin/calico/tasks/main.yml @@ -3,4 +3,6 @@ - import_tasks: pre.yml +- import_tasks: repos.yml + - include_tasks: install.yml diff --git a/roles/network_plugin/calico/tasks/pre.yml b/roles/network_plugin/calico/tasks/pre.yml index e3ca15065..e274808b6 100644 --- a/roles/network_plugin/calico/tasks/pre.yml +++ b/roles/network_plugin/calico/tasks/pre.yml @@ -25,3 +25,20 @@ delegate_to: "{{ groups['kube_control_plane'][0] }}" when: - "cloud_provider is defined" + +- name: Calico | Gather os specific variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}.yml" + - "{{ ansible_os_family|lower }}-{{ ansible_architecture }}.yml" + - "{{ ansible_os_family|lower }}.yml" + - defaults.yml + paths: + - ../vars + skip: true + tags: + - facts diff --git a/roles/network_plugin/calico/tasks/repos.yml b/roles/network_plugin/calico/tasks/repos.yml new file mode 100644 index 000000000..41cbf7d0b --- /dev/null +++ b/roles/network_plugin/calico/tasks/repos.yml @@ -0,0 +1,20 @@ +--- +- name: Calico | Add wireguard yum repo + when: + - calico_wireguard_enabled + block: + + - name: Calico | Add wireguard yum repo + yum_repository: + name: copr:copr.fedorainfracloud.org:jdoss:wireguard + file: _copr:copr.fedorainfracloud.org:jdoss:wireguard + description: Copr repo for wireguard owned by jdoss + baseurl: "{{ calico_wireguard_repo }}" + gpgcheck: yes + gpgkey: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/pubkey.gpg + skip_if_unavailable: yes + enabled: yes + repo_gpgcheck: no + when: + - ansible_os_family in ['RedHat'] + - ansible_distribution not in ['Fedora'] diff --git a/roles/network_plugin/calico/vars/amazon.yml b/roles/network_plugin/calico/vars/amazon.yml new file mode 100644 index 000000000..83efdcdb0 --- /dev/null +++ b/roles/network_plugin/calico/vars/amazon.yml @@ -0,0 +1,5 @@ +--- +calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-7-$basearch/ +calico_wireguard_packages: + - wireguard-dkms + - wireguard-tools diff --git a/roles/network_plugin/calico/vars/debian.yml b/roles/network_plugin/calico/vars/debian.yml new file mode 100644 index 000000000..baf603cfd --- /dev/null +++ b/roles/network_plugin/calico/vars/debian.yml @@ -0,0 +1,3 @@ +--- +calico_wireguard_packages: + - wireguard diff --git a/roles/network_plugin/calico/vars/fedora.yml b/roles/network_plugin/calico/vars/fedora.yml new file mode 100644 index 000000000..43df5457a --- /dev/null +++ b/roles/network_plugin/calico/vars/fedora.yml @@ -0,0 +1,3 @@ +--- +calico_wireguard_packages: + - wireguard-tools diff --git a/roles/network_plugin/calico/vars/opensuse.yml b/roles/network_plugin/calico/vars/opensuse.yml new file mode 100644 index 000000000..43df5457a --- /dev/null +++ b/roles/network_plugin/calico/vars/opensuse.yml @@ -0,0 +1,3 @@ +--- +calico_wireguard_packages: + - wireguard-tools diff --git a/roles/network_plugin/calico/vars/redhat.yml b/roles/network_plugin/calico/vars/redhat.yml new file mode 100644 index 000000000..a83a8a5fe --- /dev/null +++ b/roles/network_plugin/calico/vars/redhat.yml @@ -0,0 +1,4 @@ +--- +calico_wireguard_packages: + - wireguard-dkms + - wireguard-tools diff --git a/tests/files/packet_ubuntu20-calico-ha-wireguard.yml b/tests/files/packet_ubuntu20-calico-ha-wireguard.yml new file mode 100644 index 000000000..71fc6e7c3 --- /dev/null +++ b/tests/files/packet_ubuntu20-calico-ha-wireguard.yml @@ -0,0 +1,18 @@ +--- +# Instance settings +cloud_image: ubuntu-2004 +mode: ha +vm_memory: 1600Mi + +# Kubespray settings +kube_network_plugin: calico +deploy_netchecker: true + +calico_wireguard_enabled: true + +# Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko +kube_proxy_mode: iptables +# KVM kernel used by packet instances is missing the dummy.ko kernel module so it cannot enable nodelocaldns +enable_nodelocaldns: false + +auto_renew_certificates: true