Add support for cilium ipsec (#7342)

* Add support for cilium ipsec * Fix typo for bpffs
3 years ago · d53fd29e34
7 changed files with 88 additions and 45 deletions
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@ -51,3 +51,6 @@ cilium_deploy_additionally: false
 # information about this kind of setups.
 cilium_auto_direct_node_routes: false
 cilium_native_routing_cidr: ""
+
+# IPsec based transparent encryption between nodes
+cilium_ipsec_enabled: false
--- a/roles/network_plugin/cilium/tasks/check.yml
+++ b/roles/network_plugin/cilium/tasks/check.yml
@ -0,0 +1,9 @@
+---
+- name: Cilium | Check cilium_ipsec_enabled variables
+  assert:
+    that:
+      - "cilium_ipsec_key is defined"
+    msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled"
+  when:
+    - cilium_ipsec_enabled
+    - cilium_tunnel_mode in ['vxlan']
--- a/roles/network_plugin/cilium/tasks/install.yml
+++ b/roles/network_plugin/cilium/tasks/install.yml
@ -0,0 +1,48 @@
+---
+- name: Cilium | Ensure BPFFS mounted
+  mount:
+    fstype: bpf
+    path: /sys/fs/bpf
+    src: bpffs
+    state: mounted
+
+- name: Cilium | Create Cilium certs directory
+  file:
+    dest: "{{ cilium_cert_dir }}"
+    state: directory
+    mode: 0750
+    owner: root
+    group: root
+
+- name: Cilium | Link etcd certificates for cilium
+  file:
+    src: "{{ etcd_cert_dir }}/{{ item.s }}"
+    dest: "{{ cilium_cert_dir }}/{{ item.d }}"
+    state: hard
+    force: yes
+  with_items:
+    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
+    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
+    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
+
+- name: Cilium | Create Cilium node manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item.file }}"
+  with_items:
+    - {name: cilium, file: cilium-config.yml, type: cm}
+    - {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
+    - {name: cilium, file: cilium-cr.yml, type: clusterrole}
+    - {name: cilium, file: cilium-secret.yml, type: secret, when: cilium_ipsec_enabled}
+    - {name: cilium, file: cilium-ds.yml, type: ds}
+    - {name: cilium, file: cilium-deploy.yml, type: deploy}
+    - {name: cilium, file: cilium-sa.yml, type: sa}
+  register: cilium_node_manifests
+  when:
+    - inventory_hostname in groups['kube-master']
+
+- name: Cilium | Enable portmap addon
+  template:
+    src: 000-cilium-portmap.conflist.j2
+    dest: /etc/cni/net.d/000-cilium-portmap.conflist
+  when: cilium_enable_portmap
--- a/roles/network_plugin/cilium/tasks/main.yml
+++ b/roles/network_plugin/cilium/tasks/main.yml
@ -1,47 +1,4 @@
 ---
- name: Cilium | Ensure BFPFS mounted
-  mount:
-    fstype: bpf
-    path: /sys/fs/bpf
-    src: bpffs
-    state: mounted
+- import_tasks: check.yml

- name: Cilium | Create Cilium certs directory
-  file:
-    dest: "{{ cilium_cert_dir }}"
-    state: directory
-    mode: 0750
-    owner: root
-    group: root
-
- name: Cilium | Link etcd certificates for cilium
-  file:
-    src: "{{ etcd_cert_dir }}/{{ item.s }}"
-    dest: "{{ cilium_cert_dir }}/{{ item.d }}"
-    state: hard
-    force: yes
-  with_items:
-    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
-    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
-    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
-
- name: Cilium | Create Cilium node manifests
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/{{ item.file }}"
-  with_items:
-    - {name: cilium, file: cilium-config.yml, type: cm}
-    - {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
-    - {name: cilium, file: cilium-cr.yml, type: clusterrole}
-    - {name: cilium, file: cilium-ds.yml, type: ds}
-    - {name: cilium, file: cilium-deploy.yml, type: deploy}
-    - {name: cilium, file: cilium-sa.yml, type: sa}
-  register: cilium_node_manifests
-  when:
-    - inventory_hostname in groups['kube-master']
-
- name: Cilium | Enable portmap addon
-  template:
-    src: 000-cilium-portmap.conflist.j2
-    dest: /etc/cni/net.d/000-cilium-portmap.conflist
-  when: cilium_enable_portmap
+- include_tasks: install.yml
--- a/roles/network_plugin/cilium/templates/cilium-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
@ -155,3 +155,10 @@ data:
  hubble-metrics-server: ":9091"
 {% endif %}
 {% endif %}
+
+  # IPsec based transparent encryption between nodes
+{% if cilium_ipsec_enabled %}
+  enable-ipsec: "true"
+  ipsec-key-file: /etc/ipsec/keys
+  encrypt-node: "false"
+{% endif %}
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@ -166,6 +166,11 @@ spec:
          readOnly: true
        - mountPath: /run/xtables.lock
          name: xtables-lock
+{% if cilium_ipsec_enabled %}
+        - mountPath: /etc/ipsec
+          name: cilium-ipsec-secrets
+          readOnly: true
+{% endif %}
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      hostPID: false
@ -280,6 +285,11 @@ spec:
      - configMap:
          name: cilium-config
        name: cilium-config-path
+{% if cilium_ipsec_enabled %}
+      - name: cilium-ipsec-secrets
+        secret:
+          secretName: cilium-ipsec-keys
+{% endif %}
  updateStrategy:
    rollingUpdate:
      # Specifies the maximum number of Pods that can be unavailable during the update process.
--- a/roles/network_plugin/cilium/templates/cilium-secret.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-secret.yml.j2
@ -0,0 +1,9 @@
+---
+apiVersion: v1
+data:
+  keys: {{ cilium_ipsec_key }}
+kind: Secret
+metadata:
+  name: cilium-ipsec-keys
+  namespace: kube-system
+type: Opaque