From d53fd29e34f46b453c28f5400549ff83b91cf284 Mon Sep 17 00:00:00 2001
From: Qasim Sarfraz <qasim.sarfraz@esailors.de>
Date: Tue, 23 Mar 2021 21:46:06 +0100
Subject: [PATCH] Add support for cilium ipsec (#7342)

* Add support for cilium ipsec

* Fix typo for bpffs
---
 roles/network_plugin/cilium/defaults/main.yml |  3 ++
 roles/network_plugin/cilium/tasks/check.yml   |  9 ++++
 roles/network_plugin/cilium/tasks/install.yml | 48 +++++++++++++++++++
 roles/network_plugin/cilium/tasks/main.yml    | 47 +-----------------
 .../cilium/templates/cilium-config.yml.j2     |  7 +++
 .../cilium/templates/cilium-ds.yml.j2         | 10 ++++
 .../cilium/templates/cilium-secret.yml.j2     |  9 ++++
 7 files changed, 88 insertions(+), 45 deletions(-)
 create mode 100644 roles/network_plugin/cilium/tasks/check.yml
 create mode 100644 roles/network_plugin/cilium/tasks/install.yml
 create mode 100644 roles/network_plugin/cilium/templates/cilium-secret.yml.j2

diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index 2bb1fdad5..48e254474 100644
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -51,3 +51,6 @@ cilium_deploy_additionally: false
 # information about this kind of setups.
 cilium_auto_direct_node_routes: false
 cilium_native_routing_cidr: ""
+
+# IPsec based transparent encryption between nodes
+cilium_ipsec_enabled: false
\ No newline at end of file
diff --git a/roles/network_plugin/cilium/tasks/check.yml b/roles/network_plugin/cilium/tasks/check.yml
new file mode 100644
index 000000000..88ebfe958
--- /dev/null
+++ b/roles/network_plugin/cilium/tasks/check.yml
@@ -0,0 +1,9 @@
+---
+- name: Cilium | Check cilium_ipsec_enabled variables
+  assert:
+    that:
+      - "cilium_ipsec_key is defined"
+    msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled"
+  when:
+    - cilium_ipsec_enabled
+    - cilium_tunnel_mode in ['vxlan']
\ No newline at end of file
diff --git a/roles/network_plugin/cilium/tasks/install.yml b/roles/network_plugin/cilium/tasks/install.yml
new file mode 100644
index 000000000..7a8750d5d
--- /dev/null
+++ b/roles/network_plugin/cilium/tasks/install.yml
@@ -0,0 +1,48 @@
+---
+- name: Cilium | Ensure BPFFS mounted
+  mount:
+    fstype: bpf
+    path: /sys/fs/bpf
+    src: bpffs
+    state: mounted
+
+- name: Cilium | Create Cilium certs directory
+  file:
+    dest: "{{ cilium_cert_dir }}"
+    state: directory
+    mode: 0750
+    owner: root
+    group: root
+
+- name: Cilium | Link etcd certificates for cilium
+  file:
+    src: "{{ etcd_cert_dir }}/{{ item.s }}"
+    dest: "{{ cilium_cert_dir }}/{{ item.d }}"
+    state: hard
+    force: yes
+  with_items:
+    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
+    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
+    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
+
+- name: Cilium | Create Cilium node manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item.file }}"
+  with_items:
+    - {name: cilium, file: cilium-config.yml, type: cm}
+    - {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
+    - {name: cilium, file: cilium-cr.yml, type: clusterrole}
+    - {name: cilium, file: cilium-secret.yml, type: secret, when: cilium_ipsec_enabled}
+    - {name: cilium, file: cilium-ds.yml, type: ds}
+    - {name: cilium, file: cilium-deploy.yml, type: deploy}
+    - {name: cilium, file: cilium-sa.yml, type: sa}
+  register: cilium_node_manifests
+  when:
+    - inventory_hostname in groups['kube-master']
+
+- name: Cilium | Enable portmap addon
+  template:
+    src: 000-cilium-portmap.conflist.j2
+    dest: /etc/cni/net.d/000-cilium-portmap.conflist
+  when: cilium_enable_portmap
diff --git a/roles/network_plugin/cilium/tasks/main.yml b/roles/network_plugin/cilium/tasks/main.yml
index 2960c6253..515536094 100644
--- a/roles/network_plugin/cilium/tasks/main.yml
+++ b/roles/network_plugin/cilium/tasks/main.yml
@@ -1,47 +1,4 @@
 ---
-- name: Cilium | Ensure BFPFS mounted
-  mount:
-    fstype: bpf
-    path: /sys/fs/bpf
-    src: bpffs
-    state: mounted
+- import_tasks: check.yml
 
-- name: Cilium | Create Cilium certs directory
-  file:
-    dest: "{{ cilium_cert_dir }}"
-    state: directory
-    mode: 0750
-    owner: root
-    group: root
-
-- name: Cilium | Link etcd certificates for cilium
-  file:
-    src: "{{ etcd_cert_dir }}/{{ item.s }}"
-    dest: "{{ cilium_cert_dir }}/{{ item.d }}"
-    state: hard
-    force: yes
-  with_items:
-    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
-    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
-    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
-
-- name: Cilium | Create Cilium node manifests
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/{{ item.file }}"
-  with_items:
-    - {name: cilium, file: cilium-config.yml, type: cm}
-    - {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
-    - {name: cilium, file: cilium-cr.yml, type: clusterrole}
-    - {name: cilium, file: cilium-ds.yml, type: ds}
-    - {name: cilium, file: cilium-deploy.yml, type: deploy}
-    - {name: cilium, file: cilium-sa.yml, type: sa}
-  register: cilium_node_manifests
-  when:
-    - inventory_hostname in groups['kube-master']
-
-- name: Cilium | Enable portmap addon
-  template:
-    src: 000-cilium-portmap.conflist.j2
-    dest: /etc/cni/net.d/000-cilium-portmap.conflist
-  when: cilium_enable_portmap
+- include_tasks: install.yml
\ No newline at end of file
diff --git a/roles/network_plugin/cilium/templates/cilium-config.yml.j2 b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
index 4385f3bae..d430fe733 100644
--- a/roles/network_plugin/cilium/templates/cilium-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
@@ -155,3 +155,10 @@ data:
   hubble-metrics-server: ":9091"
 {% endif %}
 {% endif %}
+
+  # IPsec based transparent encryption between nodes
+{% if cilium_ipsec_enabled %}
+  enable-ipsec: "true"
+  ipsec-key-file: /etc/ipsec/keys
+  encrypt-node: "false"
+{% endif %}
\ No newline at end of file
diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
index 07eb78fb9..1c79cc140 100644
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -166,6 +166,11 @@ spec:
           readOnly: true
         - mountPath: /run/xtables.lock
           name: xtables-lock
+{% if cilium_ipsec_enabled %}
+        - mountPath: /etc/ipsec
+          name: cilium-ipsec-secrets
+          readOnly: true
+{% endif %}
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       hostPID: false
@@ -280,6 +285,11 @@ spec:
       - configMap:
           name: cilium-config
         name: cilium-config-path
+{% if cilium_ipsec_enabled %}
+      - name: cilium-ipsec-secrets
+        secret:
+          secretName: cilium-ipsec-keys
+{% endif %}
   updateStrategy:
     rollingUpdate:
       # Specifies the maximum number of Pods that can be unavailable during the update process.
diff --git a/roles/network_plugin/cilium/templates/cilium-secret.yml.j2 b/roles/network_plugin/cilium/templates/cilium-secret.yml.j2
new file mode 100644
index 000000000..a5fcc56eb
--- /dev/null
+++ b/roles/network_plugin/cilium/templates/cilium-secret.yml.j2
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+data:
+  keys: {{ cilium_ipsec_key }}
+kind: Secret
+metadata:
+  name: cilium-ipsec-keys
+  namespace: kube-system
+type: Opaque
\ No newline at end of file